It’s pretty easy to get a growing internal network going at home now with devices getting cheaper and whatnot. But I myself don’t particularly don’t feel the need to expose them to the internet and only use them for myself. But I don’t like the nagging from Chrome about how this site is not secure for whatever reason on my Desktop or my tablet or phone. So I sat down this weekend and worked out how to create a cert for my web serving stuff and a CA cert for my end-use devices that made Chrome be quiet and happy and think everything was nice and secure. Here’s how I did it for the server side, later tomorrow or today I will add a post on how to do the client cert for you.

Install openssl on your working machine and buckle up!

Once you have openssl installed you need to do this twice, once for the Web servers and once for the CA for the end-user devices to accept that cert you made before.

The first thing is to generate a configuration file because we are going to make a wildcard certificate to keep from having to generate a cert for each server independently! Here’s the configuration example:

[ req ]
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no

[ req_distinguished_name ]
countryName        = US
stateOrProvinceName = Texas
localityName       = Who Hee
organizationName   = Your Org
organizationalUnitName= Your Org Name
commonName = *.yourinternaldomain.local

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1 = yourinternaldomain.local
DNS.2 = *.yourinternaldomain.local

(Added more depth to CNF file)

Ok on *nix you can pretty much save that in whatever directory you are going to run the openssl command from as it will assume based on the prompt that it exists wherever it was executed from. Save the file as: openssl.cnf

On Windows, you need to change the below (like literally the text that follows below) areas where the openssl.cnf is mentioned to point to where the config is saved in the prompt.

Generate the Signing Key

Next up we generate the signing key:

openssl genrsa -out privkey.pem 2048

That is it!

Generate the Certificate Signing Request

Now we have to generate the CSR for generating our actual server cert.

openssl req -new -key privkey.pem -out csr.pem -config openssl.cnf (Updated to add -config option to CSR request)

That was nice and easy as well, now onto generating the server’s certificate!

Create the Actual Server Certificate

Now to the almost final step which is to create the cert to be installed on all the internal servers.

openssl x509 -req -days 365 -in csr.pem -signkey privkey.pem -out cert.pem -extensions req_ext -extfile openssl.cnf

Here is where we reference the openssl.cnf to get our wildcard cert. Remember Windows users to input the complete DOS path and use quotes if it has spaces to the actual cnf file.

Once Last Thing For Those Special Needs Servers

For those servers (i.e. Synology) that require a Full Chain pem file as well you can do this from *nix.

cat cert.pem privkey.pem > fullchain.pem

Ok, the server cert is done, you should be able to add it to your web servers now. I’ll be putting up the client portion for Android and Windows client CA certs sometime later today or tomorrow so that the annoying Chrome nag screen goes away.

John