Sunday, September 8, 2019

Self Signed Cert with IP address as Subject Alternate Name

Most of the guide i found assume you are using domain name. As such i will write down this guide for those who use IP address.

We will create our own root CA cert and later on we will be using this to sign the website certificate. You will be prompted for password to protect your root CA secret key. You need to remember this password as it will be used later.

openssl genrsa -des3 -out rootCA.key 2048

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 365 -out rootCA.pem

Create a config file (csr.cnf) for generating Certificate Signing Request (CSR)

server.csr.cnf

[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn

[dn]
C=SG
ST=Singapore
L=Singapore
O=test
OU=test
emailAddress=test@192.168.35.123
CN=192.168.35.123

Generate CSR
openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config server.csr.cnf

Create a v3.ext for Subject Alternate Name (SAN). So for IP address, you need to use IP instead of DNS

v3.ext

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
IP.1 = 192.168.35.123

Sign this certificate with your root CA

openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile v3.ext
You can now put both server.crt and server.key in your web server.

In order for your browser to accept this self signed certificate, you need to import your rootCA.pem into your system trusted root certificate authorities repository. for Windows system, please refer to this link .