Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
en:server:services:ssl [2023/01/07 07:28] – [ssl-params.conf] added the actual code dan | en:server:services:ssl [2024/05/11 22:05] (current) – [Arch Linux] deleted sudo to be consistent with other tutorials dan | ||
---|---|---|---|
Line 5: | Line 5: | ||
This tutorial is based on the domain '' | This tutorial is based on the domain '' | ||
- | It is also important that the domain address gets redirected from your router. This can also be set in the ''/ | + | It is also important that the domain address gets redirected from your router |
< | < | ||
Line 12: | Line 12: | ||
- | ===== Generating the private key and root certificate | + | ===== mkcert |
- | < | + | [[https:// |
- | openssl genrsa -des3 -out myCA.key 2048 | + | |
- | </code> | + | |
- | < | ||
- | openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem | ||
- | </ | ||
- | Change the following information as you wish. It appears when you view the certificate through your browser. | + | ==== Packages ==== |
< | < | ||
- | Country Name (2 letter code) [AU]: | + | pacman |
- | State or Province Name (full name) [Some-State]: | + | |
- | Locality Name (eg, city) []: | + | |
- | Organization Name (eg, company) [Internet Widgits Pty Ltd]: | + | |
- | Organizational Unit Name (eg, section) []: | + | |
- | Common Name (e.g. server FQDN or YOUR name) []: | + | |
- | Email Address []: | + | |
</ | </ | ||
- | ===== Installing your root certificate | + | ==== Create |
- | You'll need to create a '' | + | < |
+ | mkcert | ||
+ | </ | ||
- | ==== Arch Linux ==== | + | ==== Create certificates for your domains |
< | < | ||
- | sudo trust anchor --store myCA.pem | + | mkcert nextcloud.home |
</ | </ | ||
- | ==== Android | + | ===== Manually ===== |
- | '' | ||
- | Check under: | + | ==== Generating the private key and root certificate ==== |
- | '' | + | < |
+ | openssl genrsa | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1825 -out rootCA.pem | ||
+ | </ | ||
+ | |||
+ | Change the following information as you wish. It appears when you view the certificate through your browser. | ||
+ | < | ||
+ | Country Name (2 letter code) [AU]: | ||
+ | State or Province Name (full name) [Some-State]: | ||
+ | Locality Name (eg, city) []: | ||
+ | Organization Name (eg, company) [Internet Widgits Pty Ltd]: | ||
+ | Organizational Unit Name (eg, section) []: | ||
+ | Common Name (e.g. server FQDN or YOUR name) []: | ||
+ | Email Address []: | ||
+ | </ | ||
- | ===== Creating CA-Signed certificates for your domains | + | ==== Creating CA-Signed certificates for your domains ==== |
< | < | ||
- | openssl genrsa -out domain.home.key 2048 | + | openssl genrsa -out nextcloud.home-key.pem 2048 |
</ | </ | ||
< | < | ||
- | openssl req -new -key DOMAIN.home.key -out DOMAIN.home.csr | + | openssl req -new -key nextcloud.home-key.pem -out nextcloud.home.pem |
</ | </ | ||
< | < | ||
- | nano DOMAIN.home.ext | + | nano nextcloud.home.ext |
</ | </ | ||
Line 76: | Line 84: | ||
[alt_names] | [alt_names] | ||
- | DNS.1 = DOMAIN.home | + | DNS.1 = nextcloud.home |
</ | </ | ||
- | ==== Script | + | === Script === |
Create the file in '' | Create the file in '' | ||
Line 95: | Line 103: | ||
DOMAIN=$1 | DOMAIN=$1 | ||
- | openssl genrsa -out $DOMAIN.key 2048 | + | openssl genrsa -out $DOMAIN-key.pem 2048 |
- | openssl req -new -key $DOMAIN.key -out $DOMAIN.csr | + | openssl req -new -key $DOMAIN-key.pem -out $DOMAIN.pem |
cat > $DOMAIN.ext << EOF | cat > $DOMAIN.ext << EOF | ||
Line 107: | Line 115: | ||
EOF | EOF | ||
- | openssl x509 -req -in $DOMAIN.csr -CA myCA.pem -CAkey | + | openssl x509 -req -in $DOMAIN.pem -CA rootCA.pem -CAkey |
-out $DOMAIN.crt -days 825 -sha256 -extfile $DOMAIN.ext | -out $DOMAIN.crt -days 825 -sha256 -extfile $DOMAIN.ext | ||
</ | </ | ||
Line 113: | Line 121: | ||
< | < | ||
chmod +x ssl.sh | chmod +x ssl.sh | ||
- | ./ | + | ./ |
</ | </ | ||
+ | |||
+ | |||
+ | ===== Installing your root certificate on all the devices ===== | ||
+ | |||
+ | You'll need to create a '' | ||
+ | |||
+ | If you used [[#mkcert]] just run this command '' | ||
+ | |||
+ | |||
+ | ==== Arch Linux ==== | ||
+ | |||
+ | < | ||
+ | trust anchor --store rootCA.pem | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== Android ==== | ||
+ | |||
+ | === User trusted credentials === | ||
+ | |||
+ | '' | ||
+ | |||
+ | Check under: | ||
+ | |||
+ | '' | ||
+ | |||
+ | |||
+ | === System trusted credentials === | ||
+ | |||
+ | If "User trusted credentials" | ||
+ | |||
+ | < | ||
+ | hashed_name=`openssl x509 -inform PEM -subject_hash_old -in rootCA.pem | head -1` && cp rootCA.pem $hashed_name.0 | ||
+ | ls $hashed_name.0 | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | adb root | ||
+ | adb shell mount -o rw,remount / | ||
+ | adb push $hashed_name.0 / | ||
+ | adb shell chmod 644 / | ||
+ | adb shell chown root:root / | ||
+ | adb shell reboot | ||
+ | </ | ||
+ | |||
+ | You can also use the Magisk module [[https:// | ||
+ | |||
+ | |||
+ | === Use third party CA certificates for firefox === | ||
+ | |||
+ | You might want to '' | ||
+ | |||
+ | - Open your browser and scroll to the bottom and click About firefox/ | ||
+ | - Click several times on the logo and go back | ||
+ | - Click on secret settings and enable '' | ||
Line 135: | Line 198: | ||
ssl_session_cache shared: | ssl_session_cache shared: | ||
</ | </ | ||
+ | |||
+ | |||
==== example ==== | ==== example ==== | ||
Line 152: | Line 217: | ||
server_name nextcloud.home; | server_name nextcloud.home; | ||
- | ssl_certificate / | + | ssl_certificate / |
- | ssl_certificate_key / | + | ssl_certificate_key / |
include conf.d/ | include conf.d/ | ||
| |