Local Certificate Authority for Private Networks
First, we will need to create a Certificate Authority in our home network so that we can sign the certificates.
To do that, you can find two scripts in my GitHub repository. We will start by cloning it.
Link to the repo: https://github.com/amitn322/localca
git clone https://github.com/amitn332/localca.git
cd localca/
ls
You should see two scripts, createCA.sh and createCert.sh.
We will first need to create the CA. So, to do that:
sh createCA.sh
Enter Output CA Filename without Extension: testCA
Enter pass phrase for testCA.key:
Now, when you are done with that, you should see testCA.key and testCA.pem, which are your CA certs.
Now, going ahead to generate a cert:
sh createCert.sh
Enter Common Name (Site Name): test.local.home
Enter CA filename: testCA
Enter pass phrase for testCA.key:
Now, you should have test.local.home.crt, test.local.home.csr and test.local.home.key.
Now, I have an nginx server running on this box, so I'll go ahead and create a configuration for it.
cd /data/webConfigs/
vi test.conf
server {
listen 443 ssl http2;
server_name test.local.home;
root /var/www/html/test/;
ssl_certificate "/tmp/localca/test.local.home.crt";
ssl_certificate_key "/tmp/localca/test.local.home.key";
}
Now, let's create the webroot and the index file.
nginx -t # checking the configuration
mkdir -p /var/www/html/test/
echo "This works" > /var/www/html/test/index.html
nginx -s reload
Now, let's add the IP address of the webserver to the /etc/hosts file.
If you are on Linux, /etc/hosts should do the job for you and if you are on Windows, C:\Windows\System32\drivers\etc\hosts should be what you edit.
echo "192.168.100.123 test.local.home" >> C:\Windows\System32\drivers\etc\hosts
Now, try pinging it:
ping -c 1 test.local.home
And, if you try to open the url in your browser, you should see that it says insecure.
This is because, you don't trust the CA yet. You need to import the CA.
In Windows, to install the certificate, go to the search bar and hit certmgr and open it.
Click on:
- Trusted Root Certification Authorities
- Certificates
Right click it, and "All Tasks" -> "Import", browse to your testCA.pem file and import it.
Now, when you open the webiste again, you should see that it is trusted. Also, now you can create as many certificates as you want and they will all trusted.