Creating server certificates with your own custom root Certificate Authority
Generating a self signed server certificate for HTTPS security is easy enough but having your own certificate authority (CA) to sign with means you to only have to import one certificate to your devices for trust. This is the process i followed to generate my own root CA certificate and server certificates for HTTPS security on my internal network.
Generating a root CA certificate
First create a new root CA key and certificate pair. You only need to create the key once, the cert has a life of 3650 days (or 10 years). Keep the output files safe. These files are used when signing your new server certificates.
The below commands generates a root CA certificate we will use for the example home.lan domain. Edit the CN=home.lan part to match your own domain.
In order to import the CA on android 11 you need the following option in file ca.conf:
output files:
- homelan_rootCA.key
- homelan_rootCA.cert
homelan_rootCA.cert is your CA certificate. This is the file you import into your devices for trust. Put it on your servers, desktops and mobile devices.
Generating a new server key and certificate request
This will generate the private key and certificate signing pair for a demonstration nginx server known as www.home.lan. The certificate has a life of 365 days.
output files
- www.key
- www.csr
Sign with the custom root CA
Sign the certificate request in the previous step with the root CA generated at the beginning of this process.
First create the extra info file www_csr.cnf with the following content to add a subject alt name.
Now complete the request with the following command.
Nginx setup
Copy the files to your nginx ssl directory appending the root ca cert to the cert bundle.
Nginx config
Configure your server block to include server name and certificates.
Conclusion
This process allows you to self sign server certificates on private networks. You will need to keep your root ca certificate and private key safe and import the root CA certificate in keychains on devices to pass security warnings for trust.