This repository aims to guide creation of a Self-Signed Certificate with localhost development purpose.
- Have a Java JDK installed
- Have OpenSSL installed
NOTE: The below steps consider the very essential content in order to get everything in place and working.
- Create a Private Key (domain.key) and CSR (domain.csr) file entering
localhostvalue forCommon Nameand leaving all the rest with default values.
openssl req -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr
...
...
...
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:localhost <<<<<<<<-----------------
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
- Create a self-signed certificate (domain.crt) with existing private key and CSR files:
openssl x509 -signkey domain.key -in domain.csr -req -days 730 -out domain.crt
- Create self-signed certificate authority (CA) files: private key (rootCA.key) and self-signed root CA certificate (rootCA.crt). When asked enter any password (take not of it!) and
localhostvalue forCommon Name:
openssl req -newkey rsa:2048 -x509 -sha256 -days 1825 -keyout rootCA.key -out rootCA.crt
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:
- Create a configuration text-file (domain.ext) with the following content:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
- Sign the previously generated CSR (domain.csr) file with the root CA certificate and its private key. When asked enter the password for root CA certificate (previous step):
openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -in domain.csr -out domain.crt -days 730 -CAcreateserial -extfile domain.ext
Certificate request self-signature ok
subject=C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=localhost
Enter pass phrase for rootCA.key:
- In order to avoid
PKIX path building failederror, import the root CA certificate to localcacertskeystore. When asked enteryes: PS: keystore password may be different.changeitis the default one.
sudo keytool -import -alias rootCA -keystore $JAVA_HOME/lib/security/cacerts -file rootCA.crt -storepass changeit
...
...
Trust this certificate? [no]: yes
Certificate was added to keystore
- Check
rootCAalias exists incacertslist:
keytool -list -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit > list.txt
...
...
rootca, Mar 7, 2024, trustedCertEntry,
Certificate fingerprint (SHA-256): 84:D9:1C.....
...
...
- If necessary, delete the entry with the below command:
keytool -delete -alias rootCA -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit
- Finally, for local development use the now self-signed domain.crt and domain.key files (maybe also the password set on steps above).
Sources:
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent