Tiny CA - OpenSSL-CA
Table of Contents
Bite the bullet and create a tiny CA for local network.
As browsers are getting more secure and packed with more safeguards to prevent malicious actors from doing their biddings, they become less friendly with self-signed certificates. This is a pain in small labs and other wall off networks. While using http for non-prod/testing can be a solution, it is not ideal and can create other issues.
- Create the simplest CA setup that can be recreated and thrown away at wish.
- Create one wildcard server certificate for any servers in the network.
The result is a simple script with an openssl config file that will generate a CA and a wildcard certificate.
WARNING: This is intended for testing/throw-away environment. Don’t use it for production.
Install CA certificate into browser or OS.
Install server certificate and key into webserver.
Most modern browsers will not accept wildcard certificate for TLD (top level domain). For example
*.com, will not work.
Install CA in Ubuntu
Copy ca certificate to
/usr/local/share/ca-certificates and change extension to crt. Then run
- Take domain name from command line.
- Each domain in own directory under ca directory.
- Automatically generate der format for both ca and server cert.
- Check if ca and server cert exist.
- Remove OSCP and CRL extension from ca.cnf.template.
- Incorporated ca config template into tiny_ca.sh.
OpenSSL Certificate Authority by Jamie Nguyen.
openssl-ca man page.