What are the best ways and practices to manage local SSL certificates with my own CA, to get local HTTPS sites like https://testsite.local ?
I try to to setup a Slackware box (technically a laptop) for a friend who's web developer, but not a Slacker.
He have idea how to use a Linux operating system, but has no interests and time to become a Linux Guru. So I try to automatize a bit the things for him. As preamble, I think that Slackware-current looks like an ideal platform for a web-developer specialized on PHP sites, who needs a desktop with a good editor, the major web browsers and a LAMP server running in background to permit to inspect the site on development. Our -current has now Plasma5, with Kate and KDevelop, which looks being quite decent for PHP development (at least so says my friend) and also it have Apache, PHP and MySQL, exactly what we need for the local web server. However, there's a condition: he needs to use local HTTPS sites for testing and Let's Encrypt does not help on this case. My idea is to create a set of scripts which could be used to create, remove or list the local sites and until now, I've managed to configure the Apache (and the associated PHP and MySQL) to use a directory /etc/httpd/vhosts , where are put config files defining virtual hosts and also I used a poor man's local DNS resolution, adding/removing the local sites from /etc/hosts So, I'm currently able to create and run locally over HTTP a PHP site with MySQL support, named like: http://testsite.local However, at final this site should use the HTTPS, like https://testsite.local And another condition is that this local HTTPS site should work fine with Firefox, Chromium, Chrome and Microsoft Edge for Linux. Of course, everything locally. For this, I understand that I need to create a convenient master CA certificate to be put into /etc/ssl/certs then to generate SSL certificates for every local site. And there comes my question: what are the best ways and practices to manage local SSL certificates for sites living literally in the box and not accessible from outside? |
With the note that I am not a specialist on self signed SSL certificates, I have remembered that on Mr. Kiki Novak's Microlinux I've seen two scripts for generating local SSL certificates. For your convenience, this is their contents:
Code:
#!/bin/sh Code:
#!/bin/sh They also installs a CRT file (practically, a symlink) on /etc/ssl/certs directory, then maybe it's along with what you need as a start point. |
Not a local website, but for https://slint.fr in a VPS I use acme.sh to get and renew a free certificate from Let's Encrypt. Very simple to use: as an example to renew a certificate I just type
Code:
./acme.sh --renew -d slint.fr |
Quote:
However, a local site exists only in the box, because it is in the form of a Virtual Server handled by Apache and as DNS resolver it have something like bellow into /etc/hosts Code:
127.0.0.1 testsite.local www.testsite.local |
Quote:
BUT, looks that it is not a final solution for me. Because looks like for every local site, there should be some kind of SSL certificate import into browsers, possible manually. That's WHY I want to use a custom CA certificate. Because once the system is setup properly, the SSL certificates signed with this master CA certificate just needs to be setup into the local sites served by Apache. That's what I want to solve with some scripts, named: createsite, removesite and showsites My friend would have only to use them to add/remove/lists his local sites. |
Quote:
|
Why the hassle of setting up HTTPS if your server is never going to be connected to the Internet?
|
Quote:
For example, from what he said that WebRTC system does not permit all features, without a HTTPS connection. So, the sites development MUST be done over HTTPS sites, even they are local. And those local sites are like debuggers on their work. |
Quote:
However, I still look for a full locally solution. What IF he goes in a prolonged vacation in a place without Internet? For example, China or Russia are really big, and not all places are covered with a convenient Internet connection... ;) |
Well, I do not know about China, but the Russian Federation is better covered by Internet than you think... :p
True, it is not always high speed, but the 3G is available almost everywhere, even in Siberia. BTW, your friend is Russian? He lives in Vladivostok by chances? :D Meanwhile, how about having your own ACME server like the one of Let's Encrypt? https://smallstep.com/certificates/ https://github.com/smallstep/certificates There's such thing. True, it is written in Golang, I do not know how well works on Slackware, but you can try to setup it. |
Then I think he needs to define exactly what problem he is really trying to solve.
|
Quote:
Before I switched to LEt's Encrypt I used CACert certificates (also free) and before that, I generated them myself. I made some changes to /etc/ssl/openssl.cnf so that I could use /etc/ssl as the place for a Certificate Authority (CA). There are some provisions in that file to setup a CA (look for "demoCA") and this is the diff to that original file: Code:
42c42 |
All times are GMT -5. The time now is 09:35 PM. |