Create SSL/TLS Certificate Authority and host Certificates for your local network.
Derived from Create Your Own SSL Certificate Authority for Local HTTPS Development archived
In this example, the local local network suffix is .car.
Commands
LLN="car"
CA="${LLN}-CA"
openssl genrsa -des3 -out "${CA}.key" 2048
openssl req -x509 -new -nodes -key "${CA}.key" -sha256 -days 1825 -out "${CA}.pem"
Looks like
$ openssl genrsa -des3 -out car-CA.key 2048
Enter pass phrase for car-CA.key:
$ openssl req -x509 -new -nodes -key car-CA.key -sha256 -days 1825 -out car-CA.pem
Enter pass phrase for car-CA.key:
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:My State
Locality Name (eg, city) []:My City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:car netwerk
Organizational Unit Name (eg, section) []:head honcho
Common Name (e.g. server FQDN or YOUR name) []:server1.car
Email Address []:[email protected]
Record the certificate passphrase somewhere secure.
Should now have three new files
car-CA.keycar-CA.pemcar-CA.srl
In this example, create a certificate for host1.car of the car network using car-CA
Commands
LLN="car"; CA="${LLN}-CA"; H="host1"; HN="${H}.${LLN}"
openssl genrsa -out "${HN}.key" 2048
openssl req -new -key "${HN}.key" -out "${HN}.csr"
edit "${HN}.ext"
openssl x509 -req -in "${HN}.csr" -CA "${CA}.pem" -CAkey "${CA}.key" -CAcreateserial -out "${HN}.crt" -days 1825 -sha256 -extfile "${HN}.ext"
Looks like
$ openssl genrsa -out host1.car.key 2048
Generating RSA private key, 2048 bit long modulus
$ openssl req -new -key host1.car.key -out host1.car.csr
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:My State
Locality Name (eg, city) []:My City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:car netwerk
Organizational Unit Name (eg, section) []:Some Service
Common Name (e.g. server FQDN or YOUR name) []:host1.car
Email Address []:[email protected]
A challenge password []:pa55w0rd
An optional company name []:
Manually create a .ext file to allow multiple DNS names to be assocaited with the host via [alt_names] section.
This will allow certificate checks for the bare name host1, and the FQDN host1.car.
$ echo '\
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = host1
DNS.2 = host1.car' > host1.car.ext
Create the host1 signed certificate. This will require the Certificate Authority passphrase to be entered.
$ openssl x509 -req \
-in host1.car.csr \
-CA car-CA.pem \
-CAkey car-CA.key \
-CAcreateserial \
-out host1.car.crt \
-days 1825 \
-sha256 \
-extfile host1.car.ext
Signature ok
subject=C = US, ST = My State, L = My City, O = car network, OU = Some Org, CN = host1.car, emailAddress = "[email protected]"
Getting CA Private Key
Enter pass phrase for car-CA.key:
Should now have four new files:
host1.car.crthost1.car.csrhost1.car.exthost1.car.key
Only the files .crt, .key will be used by TLS-based services. The .csr and .ext are not needed.
Derived from How to manage Trusted Root Certificates in Windows 10 archived.
- Run Manage User Certificates
- Navigate to Certificates → Trusted Root Certification Authorities → Certificates
- Import
car.pemThe Import Wizard does not have a*.pemselector. Use the*.*selector and then selectcar-CA.pem.
From the linked article, I skipped changing the Local Computer Policy (per the Group Policy Snap-in).
Test with the Edge web browser.