How to create your own root ca to sign self signed certificates?

For applications that runs inside of an intranet, a self-signed web certificate is not enough since it cannot be validated by against any CA (Certification Authority). For this we need to create our own root CA, installing it in each pc, and sign the web certificate with it.

Let’s see how can we achieve this:

Creating the Root CA:

Step 1. Create a root key:

openssl genrsa -des3 -out rootCA.key 4096

Step 2. Create and self sign a root certificate:

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

Now,Install the root certificate in each of the devices/servers you want to give ‘secure’ access to your web that uses Service Workers:

For windows use certlm.msc tool and install the certificate in the Trusted Root Certification Authorities.

server side configuration:

Step 1. Create a key for your web certificate:

openssl genrsa -out abc.com.key 2048

Step 2. Create the signing (.csr):

openssl req -new -key abc.com.key -out abc.com.csr

Step 3. Create the certificate using the signing and rootCA key.

It is very important that the certificate contains the “alt_names”, otherwise for new browsers it is still not valid. For this use a configuration abc.com.ext file containing:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

Step 4. Generate the certificate with:

openssl x509 -req -in abc.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out abc.com.crt -days 300 -sha256 -extfile abc.com.ext

Install the web certificate and key used to generate the web certificate in the webserver.

Thanks :)

A DevOps who is passionate about Autom@tion.