Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
SELF SIGNED CERTIFICATE
Commands and configuration file to create self-signed certificates. Configurations files are in etc directory.
This material is based on many websites explaining the method. It has simplified as much as possible the whole process and configuration options.
NOTE :
- you will still get warnings saying that the certificate is untrusted. As your CA cert is not in the trusted root CA list by your browser, the device doesn't trust your servers certificate.
- The config file have a section to define the Subject Alternative Name (SAN) extension.
- Most documentation use two configuration files. We decided to group everything in one only.
$ git clone https://github.com/gabx/self-signed-certificate.git
$ cd self-signed-certificate
$ echo '01' > serial && touch index.txt
$ cp /dev/null index.txt.attrThen you must edit the self-sign.conf configuration file according to your need.
Become a Certificate Authority
The first step is to become a stand-alone Certificate Authority (CA) which will sign as many certificates as you like.
generate password protected key
$ openssl genrsa -des3 -out myCA.key 2048Ignore the -des3 option to remove password protection.
generate root certificate
$ openssl req -x509 -config etc/self-sign.conf -new -key myCA.key -out myCAcert.pem You should now have two files: myCA.key (your private key) and myCAcert.pem (your root certificate). Do not change their names, or if so, change it too in the sel-sign.conf file.
Create CA-Signed Certificates
Create a private key
$ openssl genrsa -des3 -out MyFQDN.key 2048###Generate a certificate sign request
The CSR is sent to a Certificate Authority, that verifies the identity of the requestor and issues a signed certificate. In our case, WE are the Certificate Authority. Questions are already answered with what you indicated in self-sign.conf. You only have to confirm by pressing the Enter key.
openssl req -config etc/self-sign.conf -new -key MyFQDN.key -out MyFQDN.csrCreate the certificate using our CSR, the CA private key, the CA certificate
Now it is time to put everything together and do the magic:
openssl x509 -req -in MyFQDN.csr -CA myCAcert.pem -CAkey myCA.key -CAcreateserial -out MyFQDN.crt.pem -days 3650 -sha256 -extfile etc/self-sign.confFew additional commands
view cert
openssl x509 -in MyFQDN.crt.pem -text -nooutencode 64
On certain occasion, you will be asked to give a base 64 encoded certificate. Here is the command to run:
cat MyFQDN.crt.pem | base64 -w 0Verify
$ openssl verify -CAfile myCA.pem MyFQDN.crt.pem
MyFQDN.crt.pem:OK