Generating self-signed SSL/TLS certificate for local IP address or local domain
In real life, when we build our website and make it public, some paid or free Certificate Authority (CA) will help us sign a certificate for our website domain (IP address is not acceptable!) and enable SSL/TLS connections from user browser to our server.
Given the secure reasons, the browser will only admit those servers's certificates signed from the authorized CA, and the CA certificate is kept in our host system trust store. In Linux, you can view the CA certificate file like /etc/ssl/certs/ca-certificates.crt
.
One of the most popular Certificate Authorities is Let's Encrypt, which is a free and non-profit CA.
However, in many internal networks and development environments, we often need self-signed certificate more frequently.
Here is an example, we will generate a local server certificate that is signed by a local CA. Finally, let Chrome can visit our local website without security warning.
In brief, these steps we need to sign local sever certificate actually simulate how those CA sign certificates for public servers, as following:
- Create a local Root CA.
- Create a CSR(Certificate Signing Request) file for local server
127.0.0.1
. - The local Root CA use the local server
127.0.0.1
CSR to generate a certificate. - Install the local Root CA into our system(Windows, Ubuntu or macOS) trust store.
- Run a simple https server to test local server certificate.
For those official CA, they have to validate the domain is owned by the server before the step 3
, and we can ignore step 4
as they are already installed into the system or the browser trust store.
And there is nice picture from How to create your own self-signed root Certificate Authority(CA) to show the relationship between CA
, server
and browser
.