<h1 style='font-size:26px;color:#6aa84f;'>openssl: create a self signed certificate for a local host entry </h1>

From time to time you will need to create a TSL / SSL certificate on your local machine. For instance, if you want you use http2.  In most of the browsers http2 implements TSL / SSL. So you need a cert for your localhost.

You will learn in this tutorial

•  to create a secure and a insecure serverkey needed for a Certificate Request with openssl
•  to create a Certificate Request from a serverkey with openssl
•  to create a selfsigned certificate from a Certificate Request with openssl

Prerequisits

•  openssl

Create serverkeys

The first step in certificate creatation is to create serverkeys for a CR (Certificate Request) on your servermachine. That means, your will create a 2048 bit RSA server.key on your local servermachine and reques a cert for for this server on a CA (Certificate Authority) so that the CA can approve this  request with a cert for this servermachine key.

Every cert is signed to only one serverkey, except when you are using wildcard certificates

Normally you will use a common CA like Verisign, Commode or Geotrust. In our case we want to create a selfsigned certificate. In that case we are our own CA.

Clearly, thats only usefull, if we want to develop locally or internaly.

So let's create the server.key's

openssl genrsa -des3 -out server.key 2048

At next you will be asked for a passphrase. Type in a secure password with min length 5 letters, a specialchar and 1 digit

That's it. You will now find a file "server.key" in the current directory

Create a server.key for passwordless encryption. 
The server.key you have cfreated will ask everytime for a pasword, if you use it. To prevent that, we will now create a further serer,key, which doens't need a password, because it's based on the password encrypted key, we have created before.

openssl rsa -in server.key -out server.key.insecure

This will save a new key "server.key.insecure"

Let's rename the key 
To get rid of the insecure word in a serverkey, we simply rename them. :)

mv server.key server.key.secure

mv server.key.insecure server.key 

Now we have created our passwordless server,key.

Create a CR for your server.key

Now we have to create our Certificate Request (CR) for our server.key. This can also be done by openssl

openssl req -new -key server.key -out server.csr 

At next you will be asked for the server.key passphrase.

In the next prompts you will be asked for Detailinformations of your company.

We want to create a cert for local development under "https://nodejs.local".

So your FQDN is nodejs.local

Don`t forget to add nodejs.local to your local /etc/hosts

After you typed in your password,openssl will save a file "server.csr" in your current directory.

Now, you can send this CertRequest to your CertAuthority or you can self sign the certificate

 

Selfsign your certificate

For local development we do not want to spend 100 Bugs a year, So lets selfsign the cert. But you will never use that for stage or live / prod system, where your customers are logging them in.

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Great. Now we have a new certificate for our dev environment

You can use  the generated "the server.crt" and "server.key" files in your application to en- and decrypt requests

It is a good idea to store the files in a central folder like /etc/ssl/certs and /etc/ssl/keys

At last you have to import this new cert in your browser.

Under Settings->Advanced->Certificates you can inport it under "Certificate Authorities"



Cheers !