Generating private CA certificate
generate key for CA authority (should stay private!!)
openssl genpkey -algorithm RSA -aes128 -out myRootCA.key -outform PEM -pkeyopt rsa_keygen_bits:4096
openssl req -new -days 3650 -key myRootCA.key -subj "/C=DE/ST=Berlin/O=Homeserver/CN=homeserver" -out rootCA.pem
openssl x509 -req -days 3650 -in myRootCA.pem -signkey myRootCA.key -extfile ./AndroidCA.conf -out myRootCA.crt
for use with android
openssl x509 -inform PEM -outform DER -in myRootCA.crt -out myRootCA.der.crt
Generating self-signed ssl certificates for custom services with private ca certificate
mkdir websites
generate private ssl key for the specific service (key)
openssl genpkey -algorithm RSA -out homeserver.local/homeserver.key -outform PEM -pkeyopt rsa_keygen_bits:4096
generate certificate signing request (csr)
openssl req -new -key homeserver.local/homeserver.key -subj "/C=DE/ST=Berlin/O=Homeserver Docker Applications/CN=homeserver.local" -out homeserver.local/homeserver.csr
Create a text file homeserver.ext with the following content, change the domain names to your setup.
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = homeserver.local
DNS.2 = IP-Address
generate ssl certificate for specific service using configuration file (*.ext)
openssl x509 -req -in homeserver.local/homeserver.csr -CA myRootCA/myRootCA.crt -CAkey myRootCA/myRootCA.key -CAcreateserial -out homeserver.local/homeserver.crt -days 730 -sha256 -extfile homeserver.local/homeserver.ext
references:
https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/