Most of the guide i found assume you are using domain name. As such i will write down this guide for those who use IP address.
We will create our own root CA cert and later on we will be using this to sign the website certificate. You will be prompted for password to protect your root CA secret key. You need to remember this password as it will be used later.
Create a config file (csr.cnf) for generating Certificate Signing Request (CSR)
server.csr.cnf
Generate CSR
Create a v3.ext for Subject Alternate Name (SAN). So for IP address, you need to use IP instead of DNS
v3.ext
Sign this certificate with your root CA
You can now put both server.crt and server.key in your web server.
In order for your browser to accept this self signed certificate, you need to import your rootCA.pem into your system trusted root certificate authorities repository. for Windows system, please refer to this link .
We will create our own root CA cert and later on we will be using this to sign the website certificate. You will be prompted for password to protect your root CA secret key. You need to remember this password as it will be used later.
openssl genrsa -des3 -out rootCA.key 2048 openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 365 -out rootCA.pem
Create a config file (csr.cnf) for generating Certificate Signing Request (CSR)
server.csr.cnf
[req] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = dn [dn] C=SG ST=Singapore L=Singapore O=test OU=test emailAddress=test@192.168.35.123 CN=192.168.35.123
Generate CSR
openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config server.csr.cnf
Create a v3.ext for Subject Alternate Name (SAN). So for IP address, you need to use IP instead of DNS
v3.ext
authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] IP.1 = 192.168.35.123
Sign this certificate with your root CA
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile v3.ext
In order for your browser to accept this self signed certificate, you need to import your rootCA.pem into your system trusted root certificate authorities repository. for Windows system, please refer to this link .
