Skip to content

Instantly share code, notes, and snippets.

@creachadair

creachadair/self-signed-tls.md

Last active November 24, 2024 23:54
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save creachadair/40f9dd7973e47c0c94774b068342aa08 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save creachadair/40f9dd7973e47c0c94774b068342aa08 to your computer and use it in GitHub Desktop.
Download ZIP
Self-signed TLS certificates
Raw
self-signed-tls.md

Creating Self-Signed TLS Certificates

(see also: https://github.com/creachadair/tlsutil)

A "CA" certificate is basically just a self-signed certificate that someone has blessed. There are a few pedantic details you have to get right in the cert settings if you want a browser to accept it (particularly an older browser), but CLI tools seem to be less picky.

Install CA Certificate (Debian/Ubuntu)

  • Add .crt file to /usr/share/ca-certificates and run sudo update-ca-certificates.

It turns out this dance is not strictly necessary: Running the tool has the effect of "compiling" all the certificates selected by the configuration file into a single file /etc/ssl/certs/ca-certificates.crt. The compilation is nothing more than concatenating the PEM format of each cert end-for-end. A tool that wants to add a cert can just add it to the end of that file.

There is a bit more plumbing to consider:

  • /etc/ca-certificates.conf is a text file that lists which keys should be picked up by the compiler. Each non-comment line names the path of a file under /usr/share/ca-certificates that should either be kept or skipped (a leading ! means to skip it). The dpkg-reconfigure plugin for ca-certificates has a TUI for editing this file, but emacs works too.
  • Installed certificates are linked into /etc/ssl/certs, that is, a symlink in that directory points to the file actually containing the cert. This does not seem to be used except by the scripts that update the compiled file.

If you want a cert to survive restarts and reconfigurations (e.g., dpkg-reconfigure ca-certificates), you will also need to update those two locations.

Install CA Certificate (macOS)

# The cert file should be in PEM format.
sudo security add-trusted-cert -d -k /Library/Keychains/System.keychain test-signing-cert.pem

# To remove said cert:
sudo security remove-trusted-cert -d test-signing-cert.pem

Note that this requires root (for write access) in addition to whatever other permissions the system wnats. Instructions lifted from mkcert.

You can also open Keychain Access and use the "Import" facility to pull in the PEM file containing the cert, and then bless the key as "trusted" by opening the "Get Info" window and clicking several times and issuing your thumbprint.

Checking Certificate and Key Files

Check a key file:

openssl ec -in test.key -check

Check a certificate:

openssl x509 -noout -text -in test.crt

View the cert chain from a server:

openssl s_client -showcerts -connect example.com:12345
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment