This video explains how to create a self signed certificate with Subject Alternative Names (SAN).
A certificate with Subject Alternative Names is a single certificate supporting multiple Common Names (CN), for example:
- mobilefish.com
- sand.mobilefish.com
- baidu.com
- china.com
This means this single certificate can be used in multiple URLs:
- mobilefish.com
- sand.mobilefish.com
- baidu.com
- china.com
Chrome browsers will issue a warning if your SSL certificate does not specify Subject Alternative Names.
This video assumes that you have installed OpenSSL.
More information how to install and use OpenSSL:www.openssl.org
To check if your system has OpenSSL installed, type: openssl version -a
The procedure to create self signed certificates with Subject Alternative names is also documented at:
www.mobilefish.com/developer/...
Warning: Never use self signed certificates in production environments.
It is okay to use it in development or testing environments.
1. Create a 2048 bit Certificate Authority (CA) private key:
sudo openssl genrsa -out privkey.pem 2048
The CA private key is created: privkey.pem
2. Create a self signed CA certificate:
sudo openssl req -new -x509 -days 3650 -nodes -key privkey.pem -sha256 -out ca.pem
3. Create a 2048 bit Certificate Authority (CA) certificate:
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Noord-Holland
Locality Name (eg, city) []:Zaandam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mobilefish.com CA
The CA certificate is created: ca.pem
4. Create a server configuration file (server.csr.cnf). Example:
www.mobilefish.com/download/o...
Download and modify the server configuration file according to your situation.
[dn]
C=NL
ST=Zaandam
L=Noord-Holland
O=End Point
OU=Research and development
emailAddress=rd@mobilefish.com
CN = sand.mobilefish.com
5. Create a server Certificate Signing Request (CSR) and server private key.
sudo openssl req -new -nodes -out server.csr -keyout server.key -config server.csr.cnf
The server CSR is created: server.csr
The server private key is created: server.key
6. Create a server extension file (server_v3.ext). Example:
www.mobilefish.com/download/o...
Modify the server extension file according to your situation.
Add Subject Alternative Names:
[alt_names]
DNS.1 = sand.mobilefish.com
DNS.2 = proxy.mobilefish.com
In the sever configuration file (server.csr.cnf) I have used “CN = sand.mobilefish.com".
This common name must be mentioned as one of the Subject Alternative Names.
7. Create the server certificate:
sudo openssl x509 -req -in server.csr -CA ca.pem -CAkey privkey.pem -CAcreateserial -out server.crt -days 3650 -extfile server_v3.ext
The server certificate is created: server.crt
The serial number file is created: ca.srl
Each issued certificate must contain a unique serial number assigned by the CA.
It must be unique for each certificate given by a given CA.
OpenSSL keeps the used serial numbers on a file.
The server certificate (server.crt) and server private key (server.key) are the two files you need to install on your server (Apache web server, proxy server).
Always keep the private keys secure:
- CA private key (privkey.pem)
- Server private key (server.key)
Recap
We have created our own Certificate Authority (root certificate).
But this CA is not trusted by our system.
Next our CA has created a certificate with SAN.
Trusted CA’s such as Comodo and GoDaddy are trusted because their root certificates are already imported in our system.
In RU-vid video “Geth supporting SSL using reverse proxy server” I will be using this self signed certificate to setup a reverse proxy server accessible by:
proxy.mobilefish.com.
Check out all my other Ethereum related tutorial videos:
goo.gl/eNJVXe
Subscribe to my RU-vid channel:
goo.gl/61NFzK
The presentation used in this video tutorial can be found at:
www.mobilefish.com/developer/b...
#mobilefish #howto #ethereum
21 сен 2017