Create an SSL certificate for testing
In some cases, a self-signed certificate was issued to the local host for use during development. According to the documentation of Let’s Encrypt, you can easily prepare a certificate including a CA using minica , so I actually tried it.
Here you can read information from github repository:
Minica is a simple CA intended for use in situations where the CA operator also operates each host where a certificate will be used. It automatically generates both a key and a certificate when asked to produce a certificate. It does not offer OCSP or CRL services. Minica is appropriate, for instance, for generating certificates for RPC systems or microservices.
On first run, minica will generate a keypair and a root certificate in the current directory, and will reuse that same keypair and root certificate unless they are deleted.
On each run, minica will generate a new keypair and sign an end-entity (leaf) certificate for that keypair. The certificate will contain a list of DNS names and/or IP addresses from the command line flags. The key and certificate are placed in a new directory whose name is chosen as the first domain name from the certificate, or the first IP address if no domain names are present. It will not overwrite existing keys or certificates.
The certificate will have a validity of 2 years and 30 days.
File in output:
| role | file name | |
|---|---|---|
| CA key | minica-key.pem | |
| CA certificate | minica.pem | |
| Self-signed certificate (key) | key.pem | |
| Self-signed certificate | cert.pem |
Certificate generation procedure
Installation of minica
Install according to minica README (assuming Go is installed):
mkdir minica
cd minica
git clone https://github.com/jsha/minica.git .
Cloning into 'minica'... remote: Enumerating objects: 5, done. remote: Counting objects: 100% (5/5), done. remote: Compressing objects: 100% (3/3), done. remote: Total 77 (delta 0), reused 1 (delta 0), pack-reused 72 Unpacking objects: 100% (77/77), done.
ls
LICENSE.txt README.md go.mod main.go
go build
ls
LICENSE.txt README.md go.mod main.go minica
./minica
Usage of ./minica: Minica is a simple CA intended for use in situations where the CA operator also operates each host where a certificate will be used. It automatically generates both a key and a certificate when asked to produce a certificate. It does not offer OCSP or CRL services. Minica is appropriate, for instance, for generating certificates for RPC systems or microservices. On first run, minica will generate a keypair and a root certificate in the current directory, and will reuse that same keypair and root certificate unless they are deleted. On each run, minica will generate a new keypair and sign an end-entity (leaf) certificate for that keypair. The certificate will contain a list of DNS names and/or IP addresses from the command line flags. The key and certificate are placed in a new directory whose name is chosen as the first domain name from the certificate, or the first IP address if no domain names are present. It will not overwrite existing keys or certificates. -ca-cert string Root certificate filename, PEM encoded. (default "minica.pem") -ca-key string Root private key filename, PEM encoded. (default "minica-key.pem") -domains string Comma separated domain names to include as Server Alternative Names. -ip-addresses string Comma separated IP addresses to include as Server Alternative Names.
Create a certificate for domain desotech.local
./minica --domains desotech.local
ls
LICENSE.txt desotech.local main.go minica-key.pem README.md go.mod minica minica.pem
ls -Fla
total 7880 drwxr-xr-x 12 hermedia staff 384 Mar 16 19:04 ./ drwxr-xr-x 3 hermedia staff 96 Mar 16 19:04 ../ drwxr-xr-x 12 hermedia staff 384 Mar 16 19:04 .git/ drwxr-xr-x 3 hermedia staff 96 Mar 16 19:04 .github/ -rw-r--r-- 1 hermedia staff 1078 Mar 16 19:04 LICENSE.txt -rw-r--r-- 1 hermedia staff 1563 Mar 16 19:04 README.md drwx------ 4 hermedia staff 128 Mar 16 19:04 desotech.local/ -rw-r--r-- 1 hermedia staff 39 Mar 16 19:04 go.mod -rw-r--r-- 1 hermedia staff 9413 Mar 16 19:04 main.go -rwxr-xr-x 1 hermedia staff 3998168 Mar 16 19:04 minica* -rw------- 1 hermedia staff 1679 Mar 16 19:04 minica-key.pem -rw------- 1 hermedia staff 1204 Mar 16 19:04 minica.pem
openssl x509 -text -noout -in minica.pem
Certificate: Data: Version: 3 (0x2) Serial Number: 2246755034181088111 (0x1f2e13ccbdaf336f) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=minica root ca 1f2e13 Validity Not Before: Mar 16 18:04:57 2020 GMT Not After : Mar 16 18:04:57 2120 GMT Subject: CN=minica root ca 1f2e13 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ef:81:66:ef:48:eb:8a:43:dc:dc:4c:02:83:38: b4:5e:8b:6a:3b:0a:ef:42:a8:15:e0:98:ec:87:90: 62:1d:ca:a3:f5:46:4e:f7:90:1d:55:66:e9:1f:ba: a6:8e:4b:69:3e:83:06:a5:9e:a7:4c:51:a4:51:c3: c1:08:ca:d2:9f:a1:8f:96:3b:60:53:e4:3f:e0:1f: 2b:ee:17:aa:c3:60:fe:2d:d1:8a:d1:52:6b:65:b0: b6:06:71:51:ee:8d:cc:23:9e:52:df:98:43:f4:a5: 7b:e1:cb:95:06:3b:5d:31:02:47:e2:08:44:68:37: 76:6f:bc:11:57:91:9f:eb:61:6b:62:13:a5:8b:a3: c8:03:81:c7:3d:b3:00:b9:0c:f0:5a:c7:85:7e:e6: c7:ea:29:7d:fc:04:0a:4e:5a:eb:d2:ee:25:00:e7: d2:73:0d:52:f6:0e:91:89:b6:8a:9e:bb:8b:70:17: b6:12:f4:3c:cf:62:29:d5:db:a3:aa:eb:8a:52:b4: 8b:1b:a1:59:dd:0f:fc:94:3f:24:8b:7b:06:4b:3c: 6f:c2:f4:40:45:95:8b:0c:a4:a3:97:6e:e0:85:7f: 2e:6e:cc:2e:b9:ea:b6:f2:1b:4a:bd:2c:4b:b5:80: fa:de:2b:5d:df:15:da:06:ec:b5:21:ee:b0:94:fd: 3d:73 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Certificate Sign X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Subject Key Identifier: 65:95:25:C0:37:4E:24:C2:2E:51:E8:C1:5D:00:71:85:CC:3C:60:50 X509v3 Authority Key Identifier: keyid:65:95:25:C0:37:4E:24:C2:2E:51:E8:C1:5D:00:71:85:CC:3C:60:50 Signature Algorithm: sha256WithRSAEncryption a1:32:9f:84:ec:59:6b:2d:3c:86:8e:74:0e:ce:94:93:3c:d4: 88:90:64:4b:b5:de:bb:1a:94:5b:7f:b7:7d:12:51:b3:39:68: 9b:77:4b:29:1e:33:4d:29:cd:d8:81:57:62:f8:30:cf:14:64: 8a:ee:ff:33:4d:c3:68:2c:44:86:8c:10:3e:28:3a:96:11:3a: 9f:10:f5:3c:b4:af:8b:38:96:dc:9a:f9:46:94:5f:f3:fd:6b: a6:73:8c:e8:e1:18:e2:ba:73:dd:fb:a8:d8:37:a7:49:47:4e: 26:8c:7c:e7:dc:f9:65:c8:2b:e2:13:45:05:20:86:47:47:b7: f6:39:d6:b0:07:9a:d2:e7:6b:e6:84:ee:5c:e7:e8:e9:10:da: 05:2c:76:d4:bf:84:a0:7a:eb:64:20:0f:4b:e2:6b:5e:86:9d: a0:28:40:d8:65:1c:38:f0:d8:17:e1:ef:06:b7:f9:9d:7b:09: 8a:b4:25:68:fd:e5:61:0f:de:8c:72:06:23:06:1c:b9:32:59: da:62:7b:ee:eb:4a:e4:71:ec:b6:50:24:27:5d:0a:97:88:59: 8c:fe:ac:cf:59:89:f1:28:67:2b:d6:a5:49:0e:09:d9:bd:cc: 0f:54:c8:e9:98:36:aa:cd:2e:25:7b:34:eb:fd:88:0b:c4:fb: 31:cf:0f:2c
openssl x509 -text -noout -in desotech.local/cert.pem
Certificate: Data: Version: 3 (0x2) Serial Number: 793889457352780444 (0xb0476415870aa9c) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=minica root ca 1f2e13 Validity Not Before: Mar 16 18:04:57 2020 GMT Not After : Apr 15 17:04:57 2022 GMT Subject: CN=desotech.local Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d3:50:c6:8b:8d:8e:ea:4f:21:8d:50:cd:d7:18: 48:77:8c:42:9f:22:ab:dd:d9:2e:0d:65:2e:8a:1e: d1:cc:b6:e8:b2:9b:6d:ac:dc:4e:fe:e3:f9:50:c7: 08:b8:c5:87:8c:70:f8:f0:f7:bc:bc:f0:b1:08:08: 01:4d:5e:97:48:01:70:80:9c:30:cc:a5:79:2f:ae: f7:c9:68:91:26:7a:fb:5f:be:e1:0e:68:e1:7c:2f: d7:9e:ce:a7:0a:32:50:61:77:c3:2c:5b:83:5c:d5: 24:e0:df:f6:07:ec:76:96:87:7d:53:d5:f4:de:fc: 1f:2f:8d:7e:78:55:ca:93:bb:7d:e9:ab:69:6f:cf: c3:9a:6d:92:10:ea:e5:71:47:19:51:73:4f:c8:e7: 77:e1:20:39:08:e0:f3:03:7d:31:c8:17:b3:c7:92: 3c:c7:65:bc:26:89:e8:9d:fb:85:30:5f:aa:59:b3: a3:80:63:5a:65:cb:e9:46:f5:53:04:a6:6d:b5:36: 2b:5b:20:30:c9:2c:ff:40:4f:8c:34:91:92:87:47: 06:f5:c3:8b:db:a0:d0:a8:55:dd:bd:a9:13:dc:84: c0:6e:fe:5f:96:2e:12:87:7f:c1:57:79:e4:10:db: eb:b0:0d:8b:d1:c8:f5:fc:41:d7:5d:a2:b6:24:02: 31:45 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Authority Key Identifier: keyid:65:95:25:C0:37:4E:24:C2:2E:51:E8:C1:5D:00:71:85:CC:3C:60:50 X509v3 Subject Alternative Name: DNS:desotech.local Signature Algorithm: sha256WithRSAEncryption 9a:ba:44:a3:79:ee:4f:dd:6e:d8:b5:30:ab:67:ee:7b:bc:6b: 57:a6:18:74:c9:88:d7:6d:38:c5:de:fa:cf:81:e1:0c:e5:db: 51:a0:54:20:3c:10:b5:18:80:0e:ee:b4:9c:7a:7e:5e:e4:89: d7:21:1d:13:59:1b:f2:57:cc:9b:b4:d9:09:b1:e1:d9:9e:1c: 25:a5:b6:8d:a7:b8:c9:9d:6c:24:ed:fb:6e:77:a0:76:9e:f1: 9b:be:d8:22:ea:ec:1c:b1:8e:0d:3f:0a:45:ce:29:e6:be:17: a3:c3:19:3b:90:b4:c1:9b:21:d0:80:28:95:7e:4d:8d:43:46: ef:07:53:27:60:10:d2:f6:c8:9f:7a:03:c3:cc:6e:72:35:ba: e2:e6:63:fd:52:38:ed:ab:8c:2e:71:cf:dd:e8:33:fe:b2:8c: cb:6c:62:4a:96:4a:92:02:d8:8b:43:f5:40:18:7d:31:a1:9a: 48:e7:d2:3a:83:c4:38:4e:56:a1:05:38:08:c6:fc:20:f5:bd: 36:46:92:90:7b:b3:0e:0f:da:3a:ba:88:e0:3c:e4:97:66:b8: e5:1f:a8:9a:35:ac:fe:e5:30:dd:32:ef:9b:f9:32:21:67:ca: 4a:68:a4:14:bf:a6:58:6f:33:0d:b1:96:61:bf:87:57:c3:82: 45:27:35:fe
Procedure for trusting CA certificate (for macOS)
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain minica.pem
Verifying that a certificate is trusted
Add the domain to hosts file
127.0.0.1 localhost desotech.local
Prepare a simple SSL web server with Python3:
Create a file https_server.py
from http.server import HTTPServer , SimpleHTTPRequestHandler , HTTPStatus
import ssl
httpd = HTTPServer (( 'desotech.local' , 443 ), SimpleHTTPRequestHandler )
httpd .socket = ssl .wrap_socket ( httpd .socket , server_side = True , keyfile = 'key.pem' , certfile = 'cert.pem' )
httpd .serve_forever ()
Run the command
sudo python3 ./https_server.py
127.0.0.1 - - [17/Mar/2020 09:39:36] "GET / HTTP/1.1" 200 - 127.0.0.1 - - [17/Mar/2020 09:39:38] code 404, message File not found 127.0.0.1 - - [17/Mar/2020 09:39:38] "GET /favicon.ico HTTP/1.1" 404 -