Creating a root certificate can be done in OSX, in the terminal. For this purpose you can use a tool called openssl. It was already on my machine, I probably needed it in the past for something, but YMMV.
You can find a binary here: https://slproweb.com/products/Win32OpenSSL.html
I have installed the program in C:/Program Files/OpenSSL folder.
This folder will contain a bin folder where the openssl.exe can be found. Run this executable as a Administrator. The following prompt will be shown:
If you already have a CSR and private and need to generate a self-signed certificate, use the following command: openssl x509 -signkey domain.key -in domain.csr -req -days 365 -out domain.crt The – days parameter is set to 365, meaning that the certificate is valid for the next 365 days. To generate a self-signed certificate file on a Windows system: You will need to have OpenSSL installed. Open a command prompt window and go to the directory you created earlier for the public/private key file.
OpenSSL >
Creating an X.509 v3 certificate
Okay, now that I finally know what I need, it is time to get to work. While reading tutorials on how to generate my self signed SSL certificate it soon became clear creating just an SSL certificate won't do. It has to do with the SSL certificate chain. Basically it needs to be issued by a party the browser knows it can trust so it knows it can trust your SSL certificate.
Creating a root certificate can be done in OSX, in the terminal. For this purpose you can use a tool called openssl. It was already on my machine, I probably needed it in the past for something, but YMMV.
Creating the root certificate
It takes two terminal commands to generate a root certificate. The first command is to create a private key. This can be accomplished by running the following command:
This creates a key, 2048 bits long, The -des3 parameter specifies to use the Tripple DES algorithm to encrypt the key and will require you to enter a password in order for the key file to be created. Be sure to remember the password you enter or you will have to generate a new key.
Now to generate the root certificate:
I won't pretend to know exactly what all the parameters do, but in short I figure it does the following:
- -new: create a new request
- -nodes: don't encrypt the output key
- -x509: specifies the kind of certificate to make
- -key: the file with the private key to use
- -sha256: this is the hashing algorithm. When you omit this it will default to the SHA1 algorithm which will result in the browser generating a warning
- -days: the number of days the certificate should be valid for. Use as high a number as you feel comfortable with for your development environment
- -out: the name of the file to write the certificate to
When you run the command you will be asked to provide some information. This will be included in the certificate and is public information. I used to the following to create the certificate:
Now that a private key and certificate signing request have been created it is possible to issue the certificate with the previously generated root certificate.
Preparing the certificate for IIS
Create Self Signed Certificate With Openssl Windows
This is the part I understand the least but it seems IIS needs the SSL certificate along with the private key in order to be able to use the certificate. Right now I've created a server.key and a server.crt file and these need to be combined into a single file. This can be accomplished with the following terminal command:
When the command is executed it will ask for an export password, this will be needed again when importing the resulting server.pfx into the windows certificate store.
With this command executed all the keys and certificates to get a fully functioning SSL certificate are generated. All that is left to do is importing the certificates and configuring IIS.
Configuring the Windows certificate store
In order to be able to use the certificate for the website, the certificates need to be imported into the Windows certificate store. My virtual machine runs Windows 10, it may work a little different on other versions.
When you open the start menu in Windows 10 and you type 'certificates', Windows comes up with two relevant suggestions: 'Manage computer certificates' and 'Manage user certificates'. Both will be needed to install the SSL certificate.
Computer certificates
The window for managing the computer certificates looks something like this:
When the context menu for Personal is accessed there is an option Import… under All Tasks. Selecting this item will start a wizard to select and import a certificate. In this certificate store both the rootCA.pem and server.pfx certificate need to be imported. By importing server.pfx the SSL certificate becomes selectable in IIS, importing rootCA.pem will stop IIS from generating warnings the certificate chain is not complete.
With both certificates installed they will be listed in the application. More importantly, it is now possible to select them in IIS when creating an HTTPS binding and not get any warning messages from IIS.
When there is an HTTPS binding and you would try to visit https://acme-site.dev using Chrome in Windows, you would still see an warning page instead of the website itself. This is because Windows still needs to be told it can trust certificates signed with the self created root certificate.
Personal certificates
In order to inform Windows it can trust certificates issued with the self created root certificate, the root certificate should be imported under personal certificates. This application looks the same as the one for managing the computer certificates. The big difference is the location where the root certificate should be imported into: Trusted Root Certification Authorities.
Importing the rootCA.pem certificate in this location will be met with a warning message. It informs that accepting an CA certificate from an unknown origin is dangerous and to make sure the certificate is actually legit.
Since the certificate being added to the certificate store is the self signed certificate this dialog can safely be answered with Yes. With the root certificate added to the list of trusted root certification authorities all the steps are done. Opening https://acme-site.dev will no longer display any warnings, instead Chrome will display a nice 'secure' status in the URL bar.
Final Steps
On Windows the site is now accessible under HTTPS, the same is not true for OSX. This is because OSX doesn't yet know it can trust certificates signed with the self created root certificate. To accomplish this takes an action very similar to getting Windows to accept the certificate, the root certificate needs to be added to the keychain.
Create Self Signed Certificate Openssl
To add the root certificate to the keychain open Keychain Access in OSX and drop the rootCA.pem in it from Finder. Combine dataframe in r. This will add the certificate to the store but is not yet enough to trust the SSL certificate. In order to trust the SSL certificate it is needed to tell OSX the root certificate is trusted for performing X.509 Basic Policy tasks. This dialog can be accessed by double clicking on the certificate in Keychain Access.
FireFox
Using the certificate in FireFox is a little different. Download manycam 4.4. FireFox doesn't use the operating system's credentials store but instead has its own managing interface. Google can help to find a document describing how to do this or try opening the site in FireFox and add the certificate through the warning page it will display.
The certificate will have to be added per domain. Just adding the exception for acme-site.dev will not automatically add the exception for acme-static.dev. This will have to be done manually by opening a valid URL for acme-static.devand adding the exception.
Command Recap
The following commands are needed to create a root certificate:
The following commands are needed to create an SSL certificate issued by the self created root certificate:
The referenced v3.ext file should look something like this:
In order to inform Windows it can trust certificates issued with the self created root certificate, the root certificate should be imported under personal certificates. This application looks the same as the one for managing the computer certificates. The big difference is the location where the root certificate should be imported into: Trusted Root Certification Authorities.
Importing the rootCA.pem certificate in this location will be met with a warning message. It informs that accepting an CA certificate from an unknown origin is dangerous and to make sure the certificate is actually legit.
Since the certificate being added to the certificate store is the self signed certificate this dialog can safely be answered with Yes. With the root certificate added to the list of trusted root certification authorities all the steps are done. Opening https://acme-site.dev will no longer display any warnings, instead Chrome will display a nice 'secure' status in the URL bar.
Final Steps
On Windows the site is now accessible under HTTPS, the same is not true for OSX. This is because OSX doesn't yet know it can trust certificates signed with the self created root certificate. To accomplish this takes an action very similar to getting Windows to accept the certificate, the root certificate needs to be added to the keychain.
Create Self Signed Certificate Openssl
To add the root certificate to the keychain open Keychain Access in OSX and drop the rootCA.pem in it from Finder. Combine dataframe in r. This will add the certificate to the store but is not yet enough to trust the SSL certificate. In order to trust the SSL certificate it is needed to tell OSX the root certificate is trusted for performing X.509 Basic Policy tasks. This dialog can be accessed by double clicking on the certificate in Keychain Access.
FireFox
Using the certificate in FireFox is a little different. Download manycam 4.4. FireFox doesn't use the operating system's credentials store but instead has its own managing interface. Google can help to find a document describing how to do this or try opening the site in FireFox and add the certificate through the warning page it will display.
The certificate will have to be added per domain. Just adding the exception for acme-site.dev will not automatically add the exception for acme-static.dev. This will have to be done manually by opening a valid URL for acme-static.devand adding the exception.
Command Recap
The following commands are needed to create a root certificate:
The following commands are needed to create an SSL certificate issued by the self created root certificate:
The referenced v3.ext file should look something like this:
In order to bundle the server certificate and private key into a single file the following command needs to be executed:
Openssl Generate Self Signed Certificate
Peace!
Generate Self Signed Cert Openssl
Source: http://blog.developers.ba/asp-net-identity-2-1-for-mysql/
