Generating private CA certificate

generate key for CA authority (should stay private!!)

openssl genpkey -algorithm RSA -aes128 -out myRootCA.key -outform PEM -pkeyopt rsa_keygen_bits:4096

openssl req -new -days 3650 -key myRootCA.key -subj "/C=DE/ST=Berlin/O=Homeserver/CN=homeserver" -out rootCA.pem

openssl x509 -req -days 3650 -in myRootCA.pem -signkey myRootCA.key -extfile ./AndroidCA.conf -out myRootCA.crt

for use with android

openssl x509 -inform PEM -outform DER -in myRootCA.crt -out myRootCA.der.crt

Generating self-signed ssl certificates for custom services with private ca certificate

mkdir websites

generate private ssl key for the specific service (key)

openssl genpkey -algorithm RSA -out homeserver.local/homeserver.key -outform PEM -pkeyopt rsa_keygen_bits:4096

generate certificate signing request (csr)

openssl req -new -key homeserver.local/homeserver.key -subj "/C=DE/ST=Berlin/O=Homeserver Docker Applications/CN=homeserver.local" -out homeserver.local/homeserver.csr

Create a text file homeserver.ext with the following content, change the domain names to your setup.

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = homeserver.local
DNS.2 = IP-Address

generate ssl certificate for specific service using configuration file (*.ext)

openssl x509 -req -in homeserver.local/homeserver.csr -CA myRootCA/myRootCA.crt -CAkey myRootCA/myRootCA.key -CAcreateserial -out homeserver.local/homeserver.crt -days 730 -sha256 -extfile homeserver.local/homeserver.ext

references:

https://github.com/dani-garcia/bitwarden_rs/wiki/Private-CA-and-self-signed-certs-that-work-with-Chrome

https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/