Self-Signed Wildcard with Trusted Root CA

I got fed up getting certificate warnings when opening browsers on various devices to local servers running under my private domains, so I decided to fix the problem with my own root CA.

This is still pretty annoying to set up when I wipe a PC, but is way more practical long term.

So here’s how I did it 🙂

Create the root CA

  1. Create a private key
  2. Create the certificate (root CA’s are self-signed certificates btw)

I’m not going to bother encrypting the certificate (refer: -nodes parameter) it’s for private use internally.

Create the wildcard certificate

Here’s the best part!

  1. Create a file named ${domain}.cnf with the following
  2. Create a key for signing
  3. Create a Certificate Signing Request

    When presented with “Common Name”, enter

    eg: *.blog.geek.nz
  4. Sign the request against the root CA

    You’ll note the -CAcreateserial parameter, this only needs to be defined once – next time you create a certificate change the

    to

Copy your rootCA.crt to a usb stick and plug into your PC’s

In Windows, double click the rootCA.crt and add to the “Trusted Root Certificate Authorities” store. Firefox uses it’s own store, so you’ll have to add it via Options->Advanced->Certificates->Authorities->Import

For linux browsers – most use their own stores, so check the docs, should be in similar places as firefox.

For Mac, I dunno, google it.

EDIT: You could also just use letsencrypt.org, create the certs for apache and then convert to pfx for IIS/Azure

chris