What are the best ways and practices to manage local SSL certificates with my own CA, to get local HTTPS sites like https://testsite.local ?
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What are the best ways and practices to manage local SSL certificates with my own CA, to get local HTTPS sites like https://testsite.local ?
I try to to setup a Slackware box (technically a laptop) for a friend who's web developer, but not a Slacker.
He have idea how to use a Linux operating system, but has no interests and time to become a Linux Guru. So I try to automatize a bit the things for him.
As preamble, I think that Slackware-current looks like an ideal platform for a web-developer specialized on PHP sites, who needs a desktop with a good editor, the major web browsers and a LAMP server running in background to permit to inspect the site on development.
Our -current has now Plasma5, with Kate and KDevelop, which looks being quite decent for PHP development (at least so says my friend) and also it have Apache, PHP and MySQL, exactly what we need for the local web server.
However, there's a condition: he needs to use local HTTPS sites for testing and Let's Encrypt does not help on this case.
My idea is to create a set of scripts which could be used to create, remove or list the local sites and until now, I've managed to configure the Apache (and the associated PHP and MySQL) to use a directory /etc/httpd/vhosts , where are put config files defining virtual hosts and also I used a poor man's local DNS resolution, adding/removing the local sites from /etc/hosts
So, I'm currently able to create and run locally over HTTP a PHP site with MySQL support, named like: http://testsite.local
However, at final this site should use the HTTPS, like https://testsite.local
And another condition is that this local HTTPS site should work fine with Firefox, Chromium, Chrome and Microsoft Edge for Linux. Of course, everything locally.
For this, I understand that I need to create a convenient master CA certificate to be put into /etc/ssl/certs then to generate SSL certificates for every local site.
And there comes my question:
what are the best ways and practices to manage local SSL certificates for sites living literally in the box and not accessible from outside?
Last edited by ZhaoLin1457; 02-04-2021 at 12:31 PM.
With the note that I am not a specialist on self signed SSL certificates, I have remembered that on Mr. Kiki Novak's Microlinux I've seen two scripts for generating local SSL certificates. For your convenience, this is their contents:
Code:
#!/bin/sh
#
# mkcert-lan.sh
#
# Script to generate a self-signed certificate for a LAN server.
#
# Usage: copy this script to an appropriate place on the system like
# /usr/local/sbin. Edit it to your needs and run it as root.
#
# The script creates a 'certs' system group. Certificates and keyfiles are
# owned by root:certs. Make sure you add the relevant system users to the
# 'certs' group, so they can access the files.
#
# Niki Kovacs <info@microlinux.fr>
HCMD=/bin/hostname
HOST=$($HCMD --fqdn)
TIME=3650
SSLDIR="/etc/ssl"
CRTDIR="$SSLDIR/mycerts"
KEYDIR="$SSLDIR/private"
CNFFILE="$CRTDIR/$HOST.cnf"
KEYFILE="$KEYDIR/$HOST.key"
CSRFILE="$CRTDIR/$HOST.csr"
CRTFILE="$CRTDIR/$HOST.crt"
# Testing
# rm -f $CNFFILE $KEYFILE $CSRFILE $CRTFILE
# Create certs group
if ! grep -q "^certs:" /etc/group ; then
groupadd -g 240 certs
echo
echo ":: Added certs group."
echo
sleep 3
fi
for DIRECTORY in $CRTDIR $KEYDIR; do
if [ ! -d $DIRECTORY ]; then
echo
echo ":: Creating directory $DIRECTORY."
echo
mkdir -p $DIRECTORY
fi
done
for FILE in $CNFFILE $KEYFILE $CSRFILE $CRTFILE; do
if [ -f $FILE ]; then
echo
echo ":: $FILE already exists, won't overwrite."
echo
exit 1
fi
done
cat > $CNFFILE << EOF
[req]
distinguished_name = req_distinguished_name
string_mask = nombstr
req_extensions = v3_req
[req_distinguished_name]
organizationName = Organization Name (company)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name
stateOrProvinceName = State or Province Name
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name
commonName_max = 64
organizationName_default = Microlinux
emailAddress_default = info@microlinux.fr
localityName_default = Montpezat
stateOrProvinceName_default = Gard
countryName_default = FR
commonName_default = $HOST
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $HOST
DNS.2 = subdomain1.$HOST
DNS.3 = subdomain2.$HOST
DNS.4 = subdomain3.$HOST
EOF
# Generate private key
openssl genrsa \
-out $KEYFILE \
4096
# Generate Certificate Signing Request
openssl req \
-new \
-sha256 \
-out $CSRFILE \
-key $KEYFILE \
-config $CNFFILE
# Self-sign and generate Certificate
openssl x509 \
-req \
-sha256 \
-days $TIME \
-in $CSRFILE \
-signkey $KEYFILE \
-out $CRTFILE \
-extensions v3_req \
-extfile $CNFFILE
# Set permissions
chown root:certs $KEYFILE $CRTFILE
chmod 0640 $KEYFILE $CRTFILE
# Create a symlink in /etc/ssl/certs
pushd $SSLDIR/certs
rm -f $HOST.crt
ln -s ../mycerts/$HOST.crt .
popd
echo
exit 0
Not a local website, but for https://slint.fr in a VPS I use acme.sh to get and renew a free certificate from Let's Encrypt. Very simple to use: as an example to renew a certificate I just type
Code:
./acme.sh --renew -d slint.fr
If you prefer Eric has written a blog article for another software to do the same thing, dehydrated for which a SlackBuilds is available @ SBo.
Not a local website, but for https://slint.fr in a VPS I use acme.sh to get and renew a free certificate from Let's Encrypt. Very simple to use: as an example to renew a certificate I just type
Code:
./acme.sh --renew -d slint.fr
If you prefer Eric has written a blog article for another software to do the same thing, dehydrated for which a SlackBuilds is available @ SBo.
Unfortunately, I cannot use Let's Encrypt for a local site, because the LE servers wants to verify that you are the owner of that site, either putting a particular file on a precise web location, either to present a DNS server with certain records.
However, a local site exists only in the box, because it is in the form of a Virtual Server handled by Apache and as DNS resolver it have something like bellow into /etc/hosts
Code:
127.0.0.1 testsite.local www.testsite.local
That's right. It's name is basically an alias for localhost.
Last edited by ZhaoLin1457; 02-04-2021 at 03:41 PM.
They also installs a CRT file (practically, a symlink) on /etc/ssl/certs directory, then maybe it's along with what you need as a start point.
Thanks you very much, I will try this.
BUT, looks that it is not a final solution for me.
Because looks like for every local site, there should be some kind of SSL certificate import into browsers, possible manually.
That's WHY I want to use a custom CA certificate.
Because once the system is setup properly, the SSL certificates signed with this master CA certificate just needs to be setup into the local sites served by Apache.
That's what I want to solve with some scripts, named: createsite, removesite and showsites
My friend would have only to use them to add/remove/lists his local sites.
Last edited by ZhaoLin1457; 02-04-2021 at 03:47 PM.
Unfortunately, I cannot use Let's Encrypt for a local site, because the LE servers wants to verify that you are the owner of that site, either putting a particular file on a precise web location, either to present a DNS server with certain records.
You should be able do that actually. Assuming you have a suitable internet accessible domain available, like real-domain.com, simply get a wildcard cert for the domain from LE using DNS validation, then make your local test site a subdomain of the one you validate, perhaps testsite.real-domain.com, and point your local DNS accordingly.
You should be able do that actually. Assuming you have a suitable internet accessible domain available, like real-domain.com, simply get a wildcard cert for the domain from LE using DNS validation, then make your local test site a subdomain of the one you validate, perhaps testsite.real-domain.com, and point your local DNS accordingly.
Thanks, could be a solution, I will talk with my friend if it is OK this variant.
However, I still look for a full locally solution. What IF he goes in a prolonged vacation in a place without Internet?
For example, China or Russia are really big, and not all places are covered with a convenient Internet connection...
Last edited by ZhaoLin1457; 02-04-2021 at 04:01 PM.
From what my friend explained me, the modern browsers forces some limitations on behavior, when lacks the HTTPS.
For example, from what he said that WebRTC system does not permit all features, without a HTTPS connection.
So, the sites development MUST be done over HTTPS sites, even they are local. And those local sites are like debuggers on their work.
If they just tell their browsers to trust the self-signed certificate then your friend does not have to import anything into the browsers' certificate store.
Before I switched to LEt's Encrypt I used CACert certificates (also free) and before that, I generated them myself. I made some changes to /etc/ssl/openssl.cnf so that I could use /etc/ssl as the place for a Certificate Authority (CA). There are some provisions in that file to setup a CA (look for "demoCA") and this is the diff to that original file:
Code:
42c42
< dir = ./demoCA # Where everything is kept
---
> dir = /etc/ssl # Where everything is kept
73c73
< default_days = 365 # how long to certify for
---
> default_days = 730 # how long to certify for
125c125
< # req_extensions = v3_req # The extensions to add to a certificate request
---
> req_extensions = v3_req # The extensions to add to a certificate request
129c129
< countryName_default = AU
---
> countryName_default = NL
134c134
< stateOrProvinceName_default = Some-State
---
> stateOrProvinceName_default = Netherlands
136a137
> localityName_default = Alien County
139c140
< 0.organizationName_default = Internet Widgits Pty Ltd
---
> 0.organizationName_default = Alien Base
223a225,229
> # Added by Eric Hameleers, see:
> # http://lists.spack.org/archives/padl.com/2167.html
> #subjectAltName=DNS:*.alienbase.nl
> subjectAltName=DNS:*.local,DNS:*.alienbase.nl
>
234c240
< authorityKeyIdentifier=keyid:always,issuer
---
> authorityKeyIdentifier=keyid:always,issuer:always
260a267,271
> # Added by Eric Hameleers, see:
> # http://lists.spack.org/archives/padl.com/2167.html
> #subjectAltName=DNS:*.alienbase.nl
> subjectAltName=DNS:*.local,DNS:*.alienbase.nl
>
267c278
< authorityKeyIdentifier=keyid:always
---
> authorityKeyIdentifier=keyid:always,issuer:always
300c311
< authorityKeyIdentifier=keyid,issuer
---
> authorityKeyIdentifier=keyid,issuer:always
330c341
< dir = ./demoCA # TSA root directory
---
> dir = /etc/ssl # TSA root directory
After that, you are only limited by your own imagination. Kikinovak's scripts from a previous posts will do the job too.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.