-
-
Save r-pai/26cb1566c3dd0c4a7092a3a61686e332 to your computer and use it in GitHub Desktop.
HOWTO: Create Your Own Self-Signed Certificate with Subject Alternative Names Using OpenSSL in Ubuntu Bash for Window
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # HOWTO: Create Your Own Self-Signed Certificate with Subject Alternative names Using OpenSSL in Ubuntu bash for Window | |
| ## Overview | |
| My main development workstation is a Windows 10 machine, so we'll approach this from that viewpoint. | |
| Recently, *Google Chrome* started giving me warning when I open a site that uses https and self-signed certificate on my local development machine due to some SSL certificate issues like the one below: | |
|  | |
| or one that is described in [this forum post](https://productforums.google.com/forum/#!topic/chrome/zVo3M8CgKzQ;context-place=topicsearchin/chrome/category$3ACanary%7Csort:relevance%7Cspell:false) which I originally got. | |
| I made my self-signed certificate using [`MAKECERT`](https://msdn.microsoft.com/en-us/library/bfsktky3(vs.100).aspx) utility previously. Apparenty, this tool does not support creating self-signed SSL certificate with Subject Alternative Name (SAN). If anyone knows different, please let me know. | |
| So, after doing some searches, it seems that [OpenSSL](https://www.openssl.org/) is the best solution for this. | |
| If you are trying to use OpenSSL on Windows like me, you will probably scratching your head on where to start. Build from the [repository](https://github.com/openssl/openssl)? Ouch. That's like what they called [yak shaving](https://en.wiktionary.org/wiki/yak_shaving). I just want to quickly create my own damn self-signed certificate, not build a factory that can do that. Sure, there is binary installation avaiable [here](https://slproweb.com/products/Win32OpenSSL.html), but after getting it installed and trying to figure out how to make it run nicely with **PowerShell**, I gave up. | |
| Luckily, Windows 10 now has the ability to run Ubuntu bash and after playing around with it, this seems to be the best way forward when using `openssl`. | |
| ## Setup Ubuntu on Windows 10 | |
| To set it up, follow the instruction [here](https://msdn.microsoft.com/en-au/commandline/wsl/install_guide). | |
| ## Install OpenSSL | |
| To install `openssl` run the following command from the **bash** shell: | |
| ```bash | |
| sudo apt-get install openssl | |
| ``` | |
| Once installed, you are ready to create your own self-signed certificate. | |
| ## Creating Self-Signed Certificate | |
| **NOTE:** _<strong>SHA1</strong> is being deprecated by major browsers, so please use <strong>SHA256</strong> instead. So wherever there is a reference to <strong>ShA1</strong> in the following guide, please replace it with <strong>SHA256</strong>._ | |
| To create your own Root Certificate and Self-Signed Certificate, follow [this OpenSSL Ubuntu article](https://help.ubuntu.com/community/OpenSSL). You can follow that guide quite safely until the portion they created `.pfx` file (before **Using PKCS#12 Certificates in Client Applications** section) or `openssl pkcs12 -export -out ... -name "Certificate for Whatever"` text. Once you reach that point, you should have a valid `.pfx` file that you can use from Windows. | |
| ### Caveats for `caconfig.cnf`: | |
| 1. In `[ local_ca ]` section, make sure you replace `<username>` with your Ubuntu username that you created when you setup Ubuntu on Windows 10. Mine for example is `dir = /home/jchandra/myCA`. **NOTE: DO NOT USE `~/myCA`. It does not work.**.<br>Similarly, change the `default_keyfile` setting in `[ req ]` section to be the same. | |
| 2. Leave the `[ local_ca_policy ]` section alone. `commonName = supplied`, etc. are correct and not to be overwritten. | |
| 3. In `[ req ]` section, change `default_md = sha1` to `default_md = sha256`. | |
| 4. In `[ root_ca_distinguished_name ]` section, replace all values to your own settings, for example, instead of leaving the `commonName`, `stateOrProvinceName`, etc. to the default values in that example, at work I changed it to the following to match my own company data: | |
| ```bash | |
| [ root_ca_distinguished_name ] | |
| commonName = InvoiceSmash Dev Root Certificate Authority | |
| stateOrProvinceName = NSW | |
| countryName = AU | |
| emailAddress = [email protected] | |
| organizationName = Coupa | |
| organizationUnitName = InvoiceSmash | |
| ``` | |
| ### Caveats for `exampleserver.conf` | |
| 1. Change the values in `[ server_distinguished_name ]` section to match your own settings. | |
| 2. In `[ alt_names ]` section, change the value for `DNS.0` and `DNS.1` to whatever you need. In my case, I test my web application using `https://localhost:44300`, therefore the correct value for me is `DNS.0 = localhost`. I am not sure what to do with `DNS.1` so, I just changed it to `DNS.1 = invoicesmash.local`. If so happen that I have a host entry in my `hosts` file that matches this (mapped to IP Address `127.0.0.1`, it should still work. | |
| ## Copy the PFX and CA Certificate to a Windows location and Install the CA & PFX into Windows | |
| ### Copying PFX and CA from Ubuntu bash to Windows Side | |
| It seems it is forbidden to touch the Linux Subsystem from Windows side, but you can touch Windows side from Linux side, so that's what we are going to do. | |
| To copy the files from inside Ubuntu, you need to know where you want to copy the files to on Windows side. For example, if I want to copy the files to `C:\certificates` folder, I'd do something like `cp {localhost.pfx,cacert.crt} /mnt/c/certificates`. | |
| See this [faq](https://msdn.microsoft.com/en-au/commandline/wsl/faq) if you want to know more about this. | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment