Skip to content

Instantly share code, notes, and snippets.

@brccabral

brccabral/01_README.md

Last active March 3, 2026 09:24
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save brccabral/6f33f6d450b436401860d843ee18895e to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save brccabral/6f33f6d450b436401860d843ee18895e to your computer and use it in GitHub Desktop.
Download ZIP
Self-Signed Certificate with Self-Signed CA
Raw
01_README.md

Self-Signed Certificate with Self-Signed CA

Create file san.cnf

[ v3_req ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = *.myserver.local
DNS.2 = myserver.local
IP.1 = 127.0.0.1
IP.2 = 192.168.X.X

Create key for your local CA

openssl genrsa -out my_local_ca.key 4096

Create certificate for local CA (fill in data, see -subj "/C=x/ST=y...")

openssl req -x509 -new -nodes \
  -key my_local_ca.key \
  -sha256 -days 3650 \
  -out my_local_ca.crt

Create key for your server

openssl genrsa -out myserver.local.key 2048

Create the request for your server (fill in data, see -subj "/C=x/ST=y..." for automation)

openssl req -new \
  -key myserver.local.key \
  -out myserver.local.csr

Create the certificate

openssl x509 -req \
  -in myserver.local.csr \
  -CA my_local_ca.crt \
  -CAkey my_local_ca.key \
  -CAcreateserial \
  -out myserver.local.crt \
  -days 3650 \
  -sha256 \
  -extfile san.cnf \
  -extensions v3_req

Update system cacert to trust your local CA (do it for all computers that will connect to the web service, including the server itself, your laptop, etc)

sudo cp my_local_ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

Firefox has its own cacert in Settings, add to it too

Apply myserver.local.key and myserver.local.crt to all web-services (nginx, docker containers, etc).

Restart services, like Tailscale, nginx, etc.

sudo systemctl restart tailscaled
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment