Generate new CA
make directory for CA, example in /root/CA or home directory for root user
mkdir -p /root/CA
cd /root/CA
example name : rootCA.key
openssl genrsa -des3 -out rootCA.key 2048
Generate new CA Certificate
openssl req -x509 -nodes -new -key rootCA.key -days 365 -sha256 -out rootCA.pem
Convert .pem to .p7b if client is windows
openssl crl2pkcs7 -nocrl -certfile rootCA.pem -out rootCA.p7b
Success!!
Generate New Private Key for Web
example domain : dika.id
openssl genrsa -out dika.id.key 2048
Generate CSR for Signing Request to CA
openssl req -new -key dika.id.key -out dika.id.csr
FQDN must be the domain : dika.id or www.dika.id
Signing Certificate
openssl x509 -req -in dika.id.csr -CAkey rootCA.key -CAcreateserial -out dika.id.crt -days 365 -sha256
Nginx Setup
cd /etc/nginx/sites-available && nano default
Uncomment # listen 443 ssl and add below
ssl_certificate /root/CA/dika.id.crt;
ssl_certificate_key /root/CA/dika.id.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Save and check configuration
nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Restart Nginx
service nginx restart
Client
Windows
1.Download or copy rootCA.p7b from server
2. Open Manage computer certificates -> Trusted Root Certification Authorities -> Certificates
3. Right Click -> All Task -> Import -> Insert file rootCA.p7b -> Next -> Finish
Done
for Linux Client add CA file rootCA.pem in Browser
Be First to Comment