Sometimes when you experiment with some apps and VMs (like hosting gitlab on a local server or running a Rancher lab cluster) you might want to setup SSL for the app to work, to mimic the live setup and to make the browser happy. In order to do that, you need a SSL certificate.

You can buy one for your domain from a trusted CA, but if you’re working on a local network, that might not be possible. The other solution is… becoming CA yourself and issuing and signing the certificate yourself!

It’s pretty easy, you need a linux box with openssl installed, then follow these instructions:

CA part

To become a CA, you need a key and certificate pair. To create the key, execute:

openssl genrsa -des3 -out myCA.key 2048

To generate the certificate, execute the following:

openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1925 -out myCA.pem

That’s it! Now after you import the CA certificate to your machine, every certificate signed by it is going to be trusted!

CRT part

First thing you need is a private key:

openssl genrsa -out rancher.example.com.key 2048

Then create the signing request:

openssl req -new -key rancher.example.com.key -out rancher.example.com.csr

Answer the question asked, one potentially important is the Common Name.

Now to sign it with the CA key and certificate, you need the config file with Subject Alternative Name (SAN) specified.

The config I used comes from here:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = rancher.example.com

Now the final command to sign the certificate:

openssl x509 -req -in rancher.example.com.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out rancher.example.com.crt -days 1825 -sha256 -extfile config.conf

Now you should have the working and signed certificate.

Links & Gotcha’s

why you cannot do TLD wildcard, even with SAN (like *.local)

Useful links