Skip to content

Instantly share code, notes, and snippets.

@marco74

marco74/selfsigned.md

Last active July 15, 2025 10:04
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save marco74/527880f4188dc304d14ec0435cacbb0c to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save marco74/527880f4188dc304d14ec0435cacbb0c to your computer and use it in GitHub Desktop.
Download ZIP
Some simple bash lines to create self singed certificates
Raw
selfsigned.md

Key generation

Certification Authority

Key:

openssl genrsa -aes256 -out ca.key 4096

Certificate:

openssl req \
  -x509  \
  -new   \
  -nodes  \
  -key ca.key  \
  -sha256  \
  -days 1826  \
  -out ca.crt  \
  -subj '/CN=gitlabbuild/C=AT/ST=Tirol/L=Rattenberg/O=build1'

--> this should then be imported everywhere, where certificates signed by this CA should be accepted, see later

Gitlabrunner host

Key and Certificate Singing Request (CSR):

openssl req   \
  -new   \
  -nodes  \
  -out gitlabrunner.csr \
  -newkey rsa:4096  \
  -keyout gitlabrunner.key  \
  -subj '/CN=gitlabrunner/C=AT/ST=Tirol/L=Rattenberg/O=build1'

Generate the Certificate:

# Prepare an extension file
cat > gitlabrunner.v3.ext <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = gitlabrunner
EOF

# Sign the certificate
openssl x509   \
  -req   \
  -in gitlabrunner.csr   \
  -CA ca.crt   \
  -CAkey ca.key   \
  -CAcreateserial   \
  -out gitlabrunner.crt  \ 
  -days 7   \
  -sha256   \
  -extfile gitlabrunner.v3.ext  \

registry host

Key and Certificate Singing Request (CSR):

openssl req  \
  -new   \
  -nodes   \
  -out registry.csr   \
  -newkey rsa:4096   \
  -keyout registry.key   \
  -subj '/CN=registry/C=AT/ST=Tirol/L=Rattenberg/O=build1'

Generate the Certificate:

# Prepare an extension file
cat > registry.v3.ext <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = registry
EOF
# Sign the certificate
openssl x509 -req -in registry.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out registry.crt -days 7 -sha256 -extfile registry.v3.ext

buildkitd host

Key and Certificate Singing Request (CSR):

openssl req   \
  -new   \
  -nodes   \
  -out buildkitd.csr   \
  -newkey rsa:4096   \
  -keyout buildkitd.key   \
  -subj '/CN=buildkitd/C=AT/ST=Tirol/L=Rattenberg/O=build1'

Generate the Certificate:

# Prepare an extension file
cat > buildkitd.v3.ext <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = buildkitd
EOF

# Sign the certificate
openssl x509 
  -req   \
  -in buildkitd.csr   \
  -CA ca.crt   \
  -CAkey ca.key   \
  -CAcreateserial   \
  -out buildkitd.crt   \
  -days 7   \
  -sha256   \
  -extfile buildkitd.v3.ext

Installation of the Certificate

Copy CA's certificate to /usr/local/share/ca-certificates and run update-ca-certificates

cp ca.crt /usr/local/share/ca-certificates
update-ca-certificates

This needs to be done on each machine that should accept certificates signed by the CA. Afterwards you can test:

echo "" | openssl s_client -connect registry:5000 2>/dev/null | grep "Verification"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment