# SSL/TLS Network Certificate Authority and Host Certificate creation instructions

<!-- posted at https://gist.github.com/jtmoon79/fbd693ff4c1c8c3c407746a0f4a33e4e -->

Create SSL/TLS Certificate Authority and host Certificates for your local network.

----

<!-- TOC created by Markdown-TOC plugin -->
- [Network Certificate Authority and Host Certificate creation instructions](#network-certificate-authority-and-host-certificate-creation-instructions)
  - [Certificates](#certificates)
    - [Create the local network Certificate Authority](#create-the-local-network-certificate-authority)
    - [Create public and private keys for each LAN host](#create-public-and-private-keys-for-each-lan-host)
  - [Update clients](#update-clients)
    - [Update Certificate Authority list on Windows hosts](#update-certificate-authority-list-on-windows-hosts)
<!-- TOC end -->

----

Derived from _[Create Your Own SSL Certificate Authority for Local HTTPS Development](https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/)_ <sup>[archived](https://archive.vn/wip/cpUF9)</sup>

## Certificates

### Create the local network Certificate Authority

In this example, the local local network suffix is `.car`.

Commands

    LLN="car"
    CA="${LLN}-CA"
    openssl genrsa -des3 -out "${CA}.key" 2048
    openssl req -x509 -new -nodes -key "${CA}.key" -sha256 -days 1825 -out "${CA}.pem"

<br/>

Looks like

    $ openssl genrsa -des3 -out car-CA.key 2048
    Enter pass phrase for car-CA.key:

    $ openssl req -x509 -new -nodes -key car-CA.key -sha256 -days 1825 -out car-CA.pem
    Enter pass phrase for car-CA.key:
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:My State
    Locality Name (eg, city) []:My City
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:car netwerk
    Organizational Unit Name (eg, section) []:head honcho
    Common Name (e.g. server FQDN or YOUR name) []:server1.car
    Email Address []:me+car@email.com

Record the certificate passphrase somewhere secure.

<br/>

Should now have three new files

- `car-CA.key`
- `car-CA.pem`
- `car-CA.srl`

### Create public and private keys for each LAN host

In this example, create a certificate for `host1.car` of the `car` network using `car-CA`

Commands

    LLN="car"; CA="${LLN}-CA"; H="host1"; HN="${H}.${LLN}"
    openssl genrsa -out "${HN}.key" 2048
    openssl req -new -key "${HN}.key" -out "${HN}.csr"
    edit "${HN}.ext"
    openssl x509 -req -in "${HN}.csr" -CA "${CA}.pem" -CAkey "${CA}.key" -CAcreateserial -out "${HN}.crt" -days 1825 -sha256 -extfile "${HN}.ext"

<br/>

Looks like

    $ openssl genrsa -out host1.car.key 2048
    Generating RSA private key, 2048 bit long modulus

    $ openssl req -new -key host1.car.key -out host1.car.csr
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:My State
    Locality Name (eg, city) []:My City
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:car netwerk
    Organizational Unit Name (eg, section) []:Some Service
    Common Name (e.g. server FQDN or YOUR name) []:host1.car
    Email Address []:me+host1@email.com
    A challenge password []:pa55w0rd
    An optional company name []:

Manually create a `.ext` file to allow multiple DNS names to be assocaited with the host via `[alt_names]` section.<br/>
This will allow certificate checks for the bare name `host1`, and the FQDN `host1.car`.

    $ echo '\
    authorityKeyIdentifier=keyid,issuer
    basicConstraints=CA:FALSE
    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    subjectAltName = @alt_names
    [alt_names]
    DNS.1 = host1
    DNS.2 = host1.car' > host1.car.ext

<br/>

Create the `host1` signed certificate. This will require the Certificate Authority passphrase to be entered.

    $ openssl x509 -req \
                     -in host1.car.csr \
                     -CA car-CA.pem \
                     -CAkey car-CA.key \
                     -CAcreateserial \
                     -out host1.car.crt \
                     -days 1825 \
                     -sha256 \
                     -extfile host1.car.ext
    Signature ok
    subject=C = US, ST = My State, L = My City, O = car network, OU = Some Org, CN = host1.car, emailAddress = "me+host1@email.com"
    Getting CA Private Key
    Enter pass phrase for car-CA.key:

<br/>

Should now have four new files:

- `host1.car.crt`
- `host1.car.csr`
- `host1.car.ext`
- `host1.car.key`

Only the files `.crt`, `.key` will be used by TLS-based services. The `.csr` and `.ext` are not needed.

----

## Update clients

### Update Certificate Authority list on Windows hosts

Derived from _[How to manage Trusted Root Certificates in Windows 10](http://www.thewindowsclub.com/manage-trusted-root-certificates-windows)_ <sup>[archived](http://archive.fo/Crh3B)</sup>.

1. Run _Manage User Certificates_
2. Navigate to _Certificates_ → _Trusted Root Certification Authorities_ → _Certificates_
3. Import `car.pem`
   The _Import Wizard_ does not have a `*.pem` selector. Use the `*.*` selector and then select `car-CA.pem`.

From the linked article, I skipped changing the _Local Computer Policy_ (per the _Group Policy_ Snap-in).

Test with the Edge web browser.