self-signed_https_cert_after_chrome_58
Differences
This shows you the differences between two versions of the page.
| — |
self-signed_https_cert_after_chrome_58 [2017/09/27 21:45] (current) |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ==== Satisfy Chromium/Chrome 58+ strict requirements for self-signed HTTPS/SSL cert ==== | ||
| + | |||
| + | **Create CA key and cert** | ||
| + | |||
| + | # openssl genrsa -out server_rootCA.key 2048 | ||
| + | # openssl req -x509 -new -nodes -key server_rootCA.key -sha256 -days 3650 -out server_rootCA.pem | ||
| + | |||
| + | **Create ''server_rootCA.csr.cnf''** | ||
| + | |||
| + | <code> | ||
| + | # server_rootCA.csr.cnf | ||
| + | [req] | ||
| + | default_bits = 2048 | ||
| + | prompt = no | ||
| + | default_md = sha256 | ||
| + | distinguished_name = dn | ||
| + | |||
| + | [dn] | ||
| + | C=DE | ||
| + | ST=Berlin | ||
| + | L=NeuKoelln | ||
| + | O=Weisestrasse | ||
| + | OU=local_RootCA | ||
| + | emailAddress=ikke@server.berlin | ||
| + | CN = server.berlin | ||
| + | </code> | ||
| + | |||
| + | **Create ''v3.ext'' configuration file** | ||
| + | |||
| + | <code> | ||
| + | # v3.ext | ||
| + | authorityKeyIdentifier=keyid,issuer | ||
| + | basicConstraints=CA:FALSE | ||
| + | keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment | ||
| + | subjectAltName = @alt_names | ||
| + | |||
| + | [alt_names] | ||
| + | DNS.1 = server.berlin | ||
| + | </code> | ||
| + | |||
| + | **Create server key** | ||
| + | |||
| + | # openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <( cat server_rootCA.csr.cnf ) | ||
| + | |||
| + | |||
| + | **Create server cert** | ||
| + | |||
| + | # openssl x509 -req -in server.csr -CA server_rootCA.pem -CAkey server_rootCA.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile v3.ext | ||
| + | |||
| + | **Add cert and key to Apache2 site-file, __HTTPS (port 443)__ section** | ||
| + | |||
| + | <code> | ||
| + | SSLCertificateFile /etc/apache2/ssl/server.crt | ||
| + | SSLCertificateKeyFile /etc/apache2/ssl/server.key | ||
| + | </code> | ||
| + | |||
| + | **Copy ''server_rootCA.pem'' from the server to your machine..** | ||
| + | |||
| + | <code> | ||
| + | # scp you@server.berlin:~/server_rootCA.pem . | ||
| + | </code> | ||
| + | |||
| + | ==== Add cert to the browser ==== | ||
| + | |||
| + | <code> | ||
| + | Chromium -> Setting -> (Advanced) Manage Certificates -> Import -> 'server_rootCA.pem' | ||
| + | </code> | ||
| + | |||
| + | \\ | ||
| + | **YOU ARE ALL DONE!** \\ | ||
| + | \\ | ||
| + | |||
| + | {{:public:screenshot_at_2017-08-10_03-03-03.png?direct|}} | ||
| + | |||
| + | ---- | ||
| + | \\ | ||
| + | **P.S.** Instead of creating a functional CA & server cert pair (per the instructions above) you could simply disable HSTS headers in your HTTP server config. \\ | ||
| + | This will prevent Chromium from enforcing HTTPS and will allow users to click "Advanced -> proceed to __your.url__ (unsafe)" without having to obtain and install your custom CA (server_rootCA.pem) certificate. In other words -- having to disable HSTS will allow your site to be publicly viewed over HTTP and/or insecure HTTPS connection (beware!). | ||
| + | |||
| + | **For Apache2 add the following to site-file, __HTTP (port 80)__ section** | ||
| + | |||
| + | Header unset Strict-Transport-Security | ||
| + | Header always set Strict-Transport-Security "max-age=0;includeSubDomains" | ||
self-signed_https_cert_after_chrome_58.txt ยท Last modified: 2017/09/27 21:45 (external edit)
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
