Generate a RootCA private key
openssl genrsa -out ca.key 2048
Generate a Cert from RootCA private key
openssl req -new -x509 -key ca.key -out ca.crt
Add RootCA to local OS
On Macbook, open Keychain -> File -> Import Items ... -> ca.crt. Right click on myCA -> Trust
On Ubuntu, install `ca-certificates`. Copy ca.crt to `/usr/local/share/ca-certificates/myCA.crt`. Refresh with `sudo update-ca-certificates`
Generate a Private Key from a client named myabc.net
openssl genrsa -out myabc.net.key 2048
Generate a CSR from that Private Key, this CSR is used to send to RootCA to sign
openssl req -new -key myabc.net.key -out myabc.net.csr
(extension file may needed to edit SAN)
myabc.net.ext:
basicConstraints=CA:FALSE
subjectAltName=DNS:*.myabc.net,DNS:myabc.net
extendedKeyUsage=serverAuth
Sign CSR with RootCA above
openssl x509 -req -in myabc.net.csr -CA ca.crt -CAkey ca.key \
-CAcreateserial -out myabc.net.crt -sha256 -extfile myabc.net.ext
Use the signed Certificate in Nginx:
listen 443;
ssl_certificate /etc/certs/myabc.net.crt;
ssl_certificate_key /etc/certs/myabc.net.key;
Access Nginx with https in Chrome