Avatar of Andrea Pavone
Andrea Pavone

How to create Self-Signed SSL Certificate with custom Root CA

If you need to create a local test enviroment that require an SSL certificate valid tought some differente devices (PC, Smartphone Android or iPhone) without any "Certificate Erros" a possible solution is to generate a self-signed certificate with custom Root CA.

Modern browser require strict SSL Certificate rules for example:

  • Max 365 Days of validity (for iOS devices support)

  • Must be present a SAN on the Certificate

  • Key msut be >= bit

For these reason you can crete an SSL Self-Signed certificates following this steps:

Create Root CA:

openssl req -x509 -nodes -new -sha256 -days 10950 -newkey rsa:4096 -keyout RootCA.key -out RootCA.pem -subj "/O=LocalOrg/CN=LocalOrg-Root-CA"

Convert PEM in CRT:

openssl x509 -outform pem -in RootCA.pem -out RootCA.crt

Create SAN file:

touch san.txt

#Add the following text:

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
DNS.1 = mylocal.web.site

Generate a CSR + KEY:

openssl req -new -nodes -newkey rsa:4096 -keyout certificate.key -out certificate.csr -subj "/C=IT/ST=Italy/L=Milan/O=LocalOrg/CN=mylocal.web.site"

Create SSL Certificate:

openssl x509 -req -sha256 -days 365 -in certificate.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -extfile san.txt -out certificate.crt

You can now use your new certificate and key for example in Apache Web server:

SSLEngine on
SSLCertificateFile      /path/to/certificate.crt
SSLCertificateKeyFile   /path/to/certificate.key

One configured the web server you can now import the Root CA on your device for avoid self-signed certificate issue, the step for import this CA are similar on any device.

For example on iPhone you can download the RootCA.crt and follow the step for installing it on iPhone Setting. After importing the profile you can enable the RootCA on General > About > Certificate Trust Settings and Enable Full Trust for your CA.