Open in app

Sign in

Write

Sign in

Ubuntu SSL For Local Development

Luke Diebold
3 min readApr 29, 2020

NOTE: For now, this is just a reference for myself. Having said that, most of the instructions in this article will probably work for you if you’re running Ubuntu.

Generate a private key

Navigate to a certificates directory *(e.g. ~/certificates)* and run the following

openssl genrsa -des3 -out mysite-authority.key 2048

Generate a root certificate using the key we just created

Run the following, enter the password used when generating the private key, enter certificate authority details

sudo openssl req -x509 -new -nodes -key mysite-authority.key -sha256 -days 1825 -out mysite-authority.pem

Install the certificate on devices that will view this site (Ubuntu)

Copy your certificate in PEM format (the format that has — — BEGIN CERTIFICATE — — in it) into /usr/local/share/ca-certificates and name it with a .crt file extension.

sudo cp mysite-authority.pem /usr/local/share/ca-certificates/mysite-authority.pem.crt

and update Certificate Authority Certificates…

For Ubuntu systems

sudo update-ca-certificates

For Firefox

sudo dpkg-reconfigure ca-certificates

For Chrome

Click on the “Customize Chrome” icon
settings
search “certificates”
click “more” at bottom of page
Click manage certificates
click “Authorities”
Click Import

Find your certificate authority (ends in .pem)

Creating a Certificate, Signed By The Certificate Authority

First, create a private key

openssl genrsa -out api.mysite.test.key 2048

Then, a CSR (Certificate Signing Request)

sudo openssl req -new -key api.mysite.test.key -out api.mysite.test.csr

Now create a config file (e.g. **api.mysite.test.ext**) that will be used to generate the certificate

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names[alt_names]
DNS.1 = api.mysite.test
DNS.2 = 127.0.0.1
DNS.3 = localhost

And run the following command to create the certificate.
NOTE: In the following command, we’re creating a certificate that’s signed by the certificate authority.

Any certificate signed by a certificate authority doesn’t need to be installed! This is great news, because it means once the certificate authority has been installed, you can jump to “Creating a Certificate, Signed By The Certificate Authority” on this page, follow the steps, and you’ll have a certificate that just works!

openssl x509 -req -in api.mysite.test.csr -CA mysite-authority.pem -CAkey mysite-authority.key -CAcreateserial -out api.mysite.test.crt -days 1825 -sha256 -extfile api.mysite.test.ext

restart nginx ( for my own records, not required😉)

sudo /etc/init.d/nginx restart
Ubuntu
Web Development
Ssl
Ssl Certificate
Nginx

--

--

Luke Diebold

Written by Luke Diebold

37 Followers

If you're reading this, you probably already have an idea of who I am! Please do reach out to me with any Quasar/VuexORM/Orion Questions!

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams