Create a Valid Self-Signed SSL Certificate
In the previous article, we delved into the step-by-step process of setting up Vaultwarden in our Home Lab.
Understanding SSL Certificates:
SSL Certificates are digital credentials that establish a secure connection and encrypt the data exchanged between a user’s browser and a web server. This encryption is important for safeguarding sensitive information, such as login credentials, personal details, and financial transactions.
Key components of an SSL certificate include:
- Issuer: The entity that issues the SSL certificate.
- Subject: The entity the SSL certificate belongs to.
- Validity Period: The timeframe during which the certificate is considered valid.
- Public Key: A cryptographic key used for encryption and included in the certificate.
- Digital Signature: Verifies the authenticity of the certificate.
What is a Self-Signed SSL Certificate?
Unlike certificates issued by recognized Certificate Authorities (CAs), self-signed SSL certificates are generated by the entity they belong to, without the involvement of a third-party CA. While they offer encryption, they lack the validation provided by a trusted CA. Despite this, self-signed certificates serve a crucial role in development environments, local servers, and scenarios where a CA-signed certificate may not be necessary.
How Self-Signed SSL Certificates work?
When a user accesses a website with a self-signed SSL certificate, their browser will typically display a warning about the certificate’s untrusted nature. This is because the certificate hasn’t been verified by a trusted CA. However, we can add the entity as a trusted CA in individual systems to prevent the warning message. This is what we’ll be doing today. But still, the warning doesn’t pose a security risk as all the services that we are accessing will be in our local Home Network and not via the Internet.
To create a self-signed SSL certificate, cryptographic key pairs are generated — a public key for encryption and a private key for decryption. The certificate includes these keys, along with other relevant details, forming a secure channel for data transmission.
Creating Our Self-Signed SSL Certificate:
To create our very own self-signed SSL certificate we’ll be using a very simple command line tool called OpenSSL. It is already pre-installed on almost all major Linux distributions. But if it isn’t installed it is fairly easy to install it. In Linux, we can use the terminal directly to access and use OpenSSL. In Windows, we can use Git Bash if we have previously installed Git in your system. In this article, today we’ll be using Git Bash in Windows to generate our self-signed SSL certs.
- First and foremost we need a Certificate Authority to issue a self-signed certificate.
- We can start by first generating a RSA key. So this will be the private key of the CA cert that we should never share. When we generate this key, we will also encrypt the key using AES-256 and use a passphrase because whoever has access to this key can generate a new self-signed certificate using the CA.
- Now we can type in the below command and the key will be outputted to a file called CAKey.pem
openssl genrsa -aes256 -out CAKey.pem 4096
- We now need to give in our passphrase and then the private key for our CA will be generated.
Note: The characters for the passphrase will be entered as you type but will not be visible in the bash
- Now we can generate a CA certificate for this private key by typing in the below command. We can also give the duration for which the certificate will be valid in days. Once it expires then we might need to create another certificate and update it in every system in which we’ll be accessing our Home Lab to prevent any SSL errors.
openssl req -new -x509 -sha256 -days 365 -key CAKey.pem -out CA.pem
- Now it will ask for the passphrase. We can type in the same. After the passphrase, it would ask for some information that a CA usually contains. We can skip it or provide all the information. It is not that required as we will be using this in our Home Network which is our local network.
- It will now generate a CA certificate in the name of CA.pem
- Now that we have a CA, we can start creating our self-signed SSL certs. The plan here is that we will create a single wildcard SSL certificate covering our root domain and all our sub-domains so that we won’t need to create individual certificates for all our sub-domains separately.
- We can start by creating an RSA key as we did for CA creation but here we don’t need to encrypt it. Now we can type in the below command for the same.
openssl genrsa -out CertKey.pem 4096
- Now a file called CertKey.pem will be outputted which will contain our RSA key.
- We now will be generating a Certificate Sign Request here. Type in the below command for the same.
openssl req -new -sha256 -subj "/CN=Home Lab" -key CertKey.pem -out Cert.csr
# If an error is thrown then, try adding another forward slash in the above command like "//CN=Home Lab"
- This will output a file called Cert.csr which we will be using further to create our self-signed SSL certificate.
- Now, before creating our self-signed SSL cert, we’ll create a config file that contains the details of the domains for which we’ll be using this certificate. We can type in the below command for the same.
echo "subjectAltName=DNS:*.home.lab,DNS:home.lab" >> Config.cnf
# You can change the wildcard domain name as per your wish
- Now we would have a config file named Config.cnf that we’ll be using in the next step to create the actual self-signed certificate.
- Now we can create a certificate from the CSR that we generated. We can type in the below command for the same.
openssl x509 -req -sha256 -days 365 -in Cert.csr -CA CA.pem -CAkey CAKey.pem -out Cert.pem -extfile Config.cnf -CAcreateserial
- We now will have a file outputted in the name Cert.pem which is the certificate that we just generated.
- But before we can start to use it, we need to combine CA.pem and Cert.pem into a single file so that the client can validate the certificate once we have added the CA we generated as a trusted CA in all the systems. We can type in the below commands to combine the files.
cat CA.pem >> ./Cert.pem
- We have now successfully generated a valid self-signed SSL certificate using OpenSSL.
We can now use the Cert.pem certificate file and upload it to Nginx Proxy Manager where we can configure to access all our services using HTTPS and the domain name instead of IP Address and Port Number that we use now to access our services.
But even after configuring the certificate in Nginx Proxy Manager, we will still see the warning message in the browser as we haven’t added the CA that we created as a Trusted root CA. In Windows, we can type in the below command to add the CA as a Trusted root CA.
certutil.exe -addstore root ./CA.pem
Now our CA will be added as a Trusted CA and we will no longer get the warning error in our browser.
In this article, we have explored the step-by-step process of creating a self-signed SSL certificate.
In the next article, we will be looking into the Nginx Proxy Manager service in which we will be adding our self-signed SSL certificate and accessing all our installed services in our Home Lab. Stay tuned for more detailed instructions on expanding our Home Labbing capabilities.