Comments on: Signing your own wildcard SSL/HTTPS certificates https://rogerhub.com/~r/code.rogerhub/infrastructure/474/signing-your-own-wildcard-sslhttps-certificates/ The programming blog at RogerHub Mon, 20 Apr 2015 10:03:00 +0000 hourly 1 http://wordpress.org/?v=4.2.2 By: Chris From NJ https://rogerhub.com/~r/code.rogerhub/infrastructure/474/signing-your-own-wildcard-sslhttps-certificates/#comment-45 Mon, 24 Nov 2014 22:01:00 +0000 https://rogerhub.com/~r/code.rogerhub/?p=474#comment-45 Need to update for the SHA-1 removal to SHA-256

openssl req -x509 -new -nodes -key rootCA.key -days 9999 -out rootCA.pem

TO:

openssl req -x509 -sha256 -new -nodes -key rootCA.key -days 9999 -out rootCA.pem

Thanks for the Great Guide!! Truly helped me out!

]]>
By: Andrey Fedyashov https://rogerhub.com/~r/code.rogerhub/infrastructure/474/signing-your-own-wildcard-sslhttps-certificates/#comment-43 Sun, 29 Jun 2014 08:00:00 +0000 https://rogerhub.com/~r/code.rogerhub/?p=474#comment-43 No problem – your post really helped me. One more improvement could be what I found on http://apetec.com/support/GenerateSAN-CSR.htm – to validate that generated CSR lists alternative names as expected:
openssl.exe req -text -noout -in

]]>
By: Andrey Fedyashov https://rogerhub.com/~r/code.rogerhub/infrastructure/474/signing-your-own-wildcard-sslhttps-certificates/#comment-42 Sun, 29 Jun 2014 07:57:00 +0000 https://rogerhub.com/~r/code.rogerhub/?p=474#comment-42 Yep, confirmed on both windows and mac – config file should be based on existing openssl config (otherwise it just misses important blocks). I’d suggest rephrasing “Create a file named SITE.cnf, and put the following inside” into something like “make a copy of your openssl.cfg and make the following edits”. In fact, the only edits I had to make were:
[req]
req_extensions = v3_req # <—– make sure it is not commented

[v3_req]
subjectAltName = @alt_names # <—- add this one

[alt_names] # <—- add this whole section
DNS.1 = rogerhub.com
DNS.2 = *.rogerhub.com

]]>
By: Roger Chen https://rogerhub.com/~r/code.rogerhub/infrastructure/474/signing-your-own-wildcard-sslhttps-certificates/#comment-41 Sun, 29 Jun 2014 04:24:00 +0000 https://rogerhub.com/~r/code.rogerhub/?p=474#comment-41 I fixed the instructions. Thanks for the tip!

]]>
By: Andrey Fedyashov https://rogerhub.com/~r/code.rogerhub/infrastructure/474/signing-your-own-wildcard-sslhttps-certificates/#comment-40 Sun, 29 Jun 2014 03:53:00 +0000 https://rogerhub.com/~r/code.rogerhub/?p=474#comment-40 I also cannot get partial config file to work – getting error “no objects specified in config file”, I think config file should be based on a FULL COPY OF EXISTING openssl config file + edits as you mention.

]]>
By: Andrey Fedyashov https://rogerhub.com/~r/code.rogerhub/infrastructure/474/signing-your-own-wildcard-sslhttps-certificates/#comment-39 Sun, 29 Jun 2014 03:18:00 +0000 https://rogerhub.com/~r/code.rogerhub/?p=474#comment-39 About: “Under the last block, you can insert as many domains with wildcards as you want. To do this, use the following command to generate your CSR:
$ openssl x509 -req -days 9999 -in SITE.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out SITE.crt -config SITE.cnf”

Command seems to generate certificate -out SITE.CRT instead of CSR.

]]>
By: Roger Qiu https://rogerhub.com/~r/code.rogerhub/infrastructure/474/signing-your-own-wildcard-sslhttps-certificates/#comment-31 Fri, 14 Mar 2014 03:00:00 +0000 https://rogerhub.com/~r/code.rogerhub/?p=474#comment-31 I made a little repo based on your instructions https://github.com/Polycademy/SSLCreator

]]>
By: Roger Qiu https://rogerhub.com/~r/code.rogerhub/infrastructure/474/signing-your-own-wildcard-sslhttps-certificates/#comment-30 Thu, 13 Mar 2014 23:20:00 +0000 https://rogerhub.com/~r/code.rogerhub/?p=474#comment-30 There really shouldn’t even be a need for certificates for there to be HTTPS connections. They are separate issues. One is to provide a secure connection, the other is validate the identity of the site/client.

]]>
By: Justin Nauman https://rogerhub.com/~r/code.rogerhub/infrastructure/474/signing-your-own-wildcard-sslhttps-certificates/#comment-29 Tue, 11 Mar 2014 16:27:00 +0000 https://rogerhub.com/~r/code.rogerhub/?p=474#comment-29 Thanks for the very clear breakdown of the commands, this was something I had not seen in other literature I have read around this.

It explained some of the concepts in a bit more digestable and easy to read format than the RFC.

]]>
By: rogerhub https://rogerhub.com/~r/code.rogerhub/infrastructure/474/signing-your-own-wildcard-sslhttps-certificates/#comment-21 Thu, 05 Sep 2013 16:59:00 +0000 https://rogerhub.com/~r/code.rogerhub/?p=474#comment-21 I will let you advertise your website here, but I personally believe the CA system is horribly broken and will be replaced in the future with a distributed system of trust. Check out the perspectives project http://perspectives-project.org/ for an idea.

]]>