Notice: If you are looking for a way to use SSL certs on public host addresses, please consider using Let's Encrypt project! It's free, it's automated and is already trused by common browsers so you won't have to manipulate user's certificates chain of trust. For private addresses (ie: myhost, myhost.mydomain, 10.0.0.1, etc) Let's Encrypt won't help you so this project could be very useful.
Tired of really-complicated-stuff on internet about how to create and maintain self-managed certificates? Me too! That's why I've created this simple project to:
- Provide sane defaults (
rsa/sha256/2048bits keys) via a config file (openssl.conf) - Provide a script (
create_ca_key.sh) to create your own Certificate Authority to sign certificates - Provide a script (
create_csr.sh) to create keys and certificate signing requests (CSR) for your apps - Provide a script (
sign_csr.sh) to sign your CSRs - Provide a script (
create_crt.sh) to perform (3) and (4) in one step.
- Clone this repo
- Run
create_ca_key.shto create your root CA certificate and private key. The root CA certificate will be stored on the./CAfolder namedca.crtand the private key will be stored in./CA/private/ca.key. You should call this script only once, as it will overwrite any existing CA key and CA certificate already present on the repo. - Create and sign as many certificates you want, using
create_crt.sh <app_name>. The key, CSR and certificate generated will be stored as./out/<app_name>.<key|csr|crt>. - Ready! You can use your app-specific keys and certificates on your apps. If you want to trust these certificates you should add
./CA/ca.crtonto your local storage of trusted certificates (on Ubuntu this can be done by copying the file to/usr/local/share/ca-certificates/and runningupdate-ca-certificates). The nice thing is that what you are really doing is to build your own chain of trust, managed by you.
Warning: Adding ca.crt to your list of trusted CA means that your PC will trust any certificate signed by ./CA/private/ca.key . This could be used to impersonate any website on PCs that trust this cert so keep this key private!! (Ideally offline)
The openssl.conf file manages various defaults for cert creation. I tried to not include insane parameters but you should really look them to check if those match your definition of sanity.
It is also possible to uncomment the Defaults (under the req_distinguished_name section) if you want to save some keystrokes by pre-completing some boring cert fields.