For applications that runs inside of an intranet, a self-signed web certificate is not enough since it cannot be validated by against any CA (Certification Authority). For this we need to create our own root CA, installing it in each pc, and sign the web certificate with it.
Let’s see how can we achieve this:
Creating the Root CA:
Step 1. Create a root key:
openssl genrsa -des3 -out rootCA.key 4096
Step 2. Create and self sign a root certificate:
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
Now,Install the root certificate in each of the devices/servers you want to give ‘secure’ access to your web that uses Service Workers:
For windows use certlm.msc tool and install the certificate in the Trusted Root Certification Authorities.
server side configuration:
Step 1. Create a key for your web certificate:
openssl genrsa -out abc.com.key 2048
Step 2. Create the signing (.csr):
openssl req -new -key abc.com.key -out abc.com.csr
Step 3. Create the certificate using the signing and rootCA key.
It is very important that the certificate contains the “alt_names”, otherwise for new browsers it is still not valid. For this use a configuration abc.com.ext file containing:
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names[alt_names]
DNS.1 = abc.com
Step 4. Generate the certificate with:
openssl x509 -req -in abc.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out abc.com.crt -days 300 -sha256 -extfile abc.com.ext
Install the web certificate and key used to generate the web certificate in the webserver.