How to create Self-Signed SSL Certificate with custom Root CA
If you need to create a local test enviroment that require an SSL certificate valid tought some differente devices (PC, Smartphone Android or iPhone) without any "Certificate Erros" a possible solution is to generate a self-signed certificate with custom Root CA.
Modern browser require strict SSL Certificate rules for example:
Max 365 Days of validity (for iOS devices support)
Must be present a SAN on the Certificate
Key msut be >= bit
For these reason you can crete an SSL Self-Signed certificates following this steps:
Create Root CA:
openssl req -x509 -nodes -new -sha256 -days 10950 -newkey rsa:4096 -keyout RootCA.key -out RootCA.pem -subj "/O=LocalOrg/CN=LocalOrg-Root-CA"
Convert PEM in CRT:
openssl x509 -outform pem -in RootCA.pem -out RootCA.crt
Create SAN file:
touch san.txt
#Add the following text:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = mylocal.web.site
Generate a CSR + KEY:
openssl req -new -nodes -newkey rsa:4096 -keyout certificate.key -out certificate.csr -subj "/C=IT/ST=Italy/L=Milan/O=LocalOrg/CN=mylocal.web.site"
Create SSL Certificate:
openssl x509 -req -sha256 -days 365 -in certificate.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -extfile san.txt -out certificate.crt
You can now use your new certificate and key for example in Apache Web server:
SSLEngine on
SSLCertificateFile /path/to/certificate.crt
SSLCertificateKeyFile /path/to/certificate.key
One configured the web server you can now import the Root CA on your device for avoid self-signed certificate issue, the step for import this CA are similar on any device.
For example on iPhone you can download the RootCA.crt and follow the step for installing it on iPhone Setting. After importing the profile you can enable the RootCA on General > About > Certificate Trust Settings and Enable Full Trust for your CA.