en:server:services:ssl

This is an old revision of the document!

SSL

Be your own SSL Certificate Authority.

This tutorial is based on the domain nextcloud.home. So change the domain to your specific domain.

It is also important that the domain address gets redirected from your router. This can also be set in the /etc/hosts file of your computer, but to reach the domain on every device, it is easier to change this directly in the router: 

nextcloud.domain SERVER-IP

Generating the private key and root certificate

openssl genrsa -des3 -out myCA.key 2048
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem

Change the following information as you wish. It appears when you view the certificate through your browser. 

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Installing your root certificate on all the devices

You'll need to create a `myCA.pem` file on every device and copy the content of `cat myCA.pem` file wherever you created it in section generating-the-private-key-and-root-certificate.

Arch Linux

sudo trust anchor --store myCA.pem

Android

Settings - Security - Encryption and credentials - Install a certificate

Check under:

Settings - Security - Trusted credentials - User

Creating CA-Signed certificates for your domains

openssl genrsa -out domain.home.key 2048
openssl req -new -key DOMAIN.home.key -out DOMAIN.home.csr
nano DOMAIN.home.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = DOMAIN.home

Script

Create the file in nano /etc/nginx/ssl/ssl.sh. 

#!/bin/sh

if [ "$#" -ne 1 ]
then
  echo "Usage: Must supply a domain"
  exit 1
fi

DOMAIN=$1

openssl genrsa -out $DOMAIN.key 2048
openssl req -new -key $DOMAIN.key -out $DOMAIN.csr

cat > $DOMAIN.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $DOMAIN
EOF

openssl x509 -req -in $DOMAIN.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial \
-out $DOMAIN.crt -days 825 -sha256 -extfile $DOMAIN.ext
chmod +x ssl.sh
./ssl.sh domain.home
  • en/server/services/ssl.1672533324.txt.gz
  • Last modified: 2023/01/01 00:35
  • by dan