Self-Signed Wildcard with Trusted Root CA

I got fed up getting certificate warnings when opening browsers on various devices to local servers running under my private domains, so I decided to fix the problem with my own root CA.

This is still pretty annoying to set up when I wipe a PC, but is way more practical long term.

So here’s how I did it 🙂

Create the root CA

  1. Create a private key
    $ openssl genrsa -out rootCA.key 2048
  2. Create the certificate (root CA’s are self-signed certificates btw)
    $ openssl req -x509 -new -nodes -key rootCA.key -days 3653 -out rootCA.pem

I’m not going to bother encrypting the certificate (refer: -nodes parameter) it’s for private use internally.

Create the wildcard certificate

Here’s the best part!

  1. Create a file named ${domain}.cnf with the following
    [req]
    req_extensions = v3_req
     
    [v3_req] 
    keyUsage = keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth
    subjectAltName = @alt_names
     
    [alt_names]
    DNS.1 = ${domain}
    DNS.2 = *.${domain}
    DNS.3 = ${hostName}
    DNS.4 = ${otherHostName}
  2. Create a key for signing
    openssl genrsa -out ${domain}.key 2048
  3. Create a Certificate Signing Request
    openssl req -new -key ${domain}.key -out ${domain}.csr

    When presented with “Common Name”, enter

    *.${domain}

    eg: *.blog.geek.nz

  4. Sign the request against the root CA
    $ openssl x509 -req -days 3650 -in ${domain}.csr 
    -CA rootCA.pem -CAkey rootCA.key -CAcreateserial 
    -out ${domain}.crt -extfile ${domain}.cnf

    You’ll note the -CAcreateserial parameter, this only needs to be defined once – next time you create a certificate change the

    -CAcreateserial

    to

    -CAserial rootCA.srl

Copy your rootCA.crt to a usb stick and plug into your PC’s

In Windows, double click the rootCA.crt and add to the “Trusted Root Certificate Authorities” store. Firefox uses it’s own store, so you’ll have to add it via Options->Advanced->Certificates->Authorities->Import

For linux browsers – most use their own stores, so check the docs, should be in similar places as firefox.

For Mac, I dunno, google it.

EDIT: You could also just use letsencrypt.org, create the certs for apache and then convert to pfx for IIS/Azure

chris