self-signed_https_cert_after_chrome_58
no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
| — | self-signed_https_cert_after_chrome_58 [2017/09/27 19:45] (current) – created - external edit 127.0.0.1 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ==== Satisfy Chromium/ | ||
| + | |||
| + | **Create CA key and cert** | ||
| + | |||
| + | # openssl genrsa -out server_rootCA.key 2048 | ||
| + | # openssl req -x509 -new -nodes -key server_rootCA.key -sha256 -days 3650 -out server_rootCA.pem | ||
| + | |||
| + | **Create '' | ||
| + | |||
| + | < | ||
| + | # server_rootCA.csr.cnf | ||
| + | [req] | ||
| + | default_bits = 2048 | ||
| + | prompt = no | ||
| + | default_md = sha256 | ||
| + | distinguished_name = dn | ||
| + | |||
| + | [dn] | ||
| + | C=DE | ||
| + | ST=Berlin | ||
| + | L=NeuKoelln | ||
| + | O=Weisestrasse | ||
| + | OU=local_RootCA | ||
| + | emailAddress=ikke@server.berlin | ||
| + | CN = server.berlin | ||
| + | </ | ||
| + | |||
| + | **Create '' | ||
| + | |||
| + | < | ||
| + | # v3.ext | ||
| + | authorityKeyIdentifier=keyid, | ||
| + | basicConstraints=CA: | ||
| + | keyUsage = digitalSignature, | ||
| + | subjectAltName = @alt_names | ||
| + | |||
| + | [alt_names] | ||
| + | DNS.1 = server.berlin | ||
| + | </ | ||
| + | |||
| + | **Create server key** | ||
| + | |||
| + | # openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <( cat server_rootCA.csr.cnf ) | ||
| + | |||
| + | |||
| + | **Create server cert** | ||
| + | |||
| + | # openssl x509 -req -in server.csr -CA server_rootCA.pem -CAkey server_rootCA.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile v3.ext | ||
| + | |||
| + | **Add cert and key to Apache2 site-file, __HTTPS (port 443)__ section** | ||
| + | |||
| + | < | ||
| + | SSLCertificateFile | ||
| + | SSLCertificateKeyFile | ||
| + | </ | ||
| + | |||
| + | **Copy '' | ||
| + | |||
| + | < | ||
| + | # scp you@server.berlin: | ||
| + | </ | ||
| + | |||
| + | ==== Add cert to the browser ==== | ||
| + | |||
| + | < | ||
| + | Chromium -> Setting -> (Advanced) Manage Certificates -> Import -> ' | ||
| + | </ | ||
| + | |||
| + | \\ | ||
| + | **YOU ARE ALL DONE!** \\ | ||
| + | \\ | ||
| + | |||
| + | {{: | ||
| + | |||
| + | ---- | ||
| + | \\ | ||
| + | **P.S.** Instead of creating a functional CA & server cert pair (per the instructions above) you could simply disable HSTS headers in your HTTP server config. \\ | ||
| + | This will prevent Chromium from enforcing HTTPS and will allow users to click " | ||
| + | |||
| + | **For Apache2 add the following to site-file, __HTTP (port 80)__ section** | ||
| + | |||
| + | Header unset Strict-Transport-Security | ||
| + | Header always set Strict-Transport-Security " | ||
self-signed_https_cert_after_chrome_58.txt · Last modified: by 127.0.0.1