Original link: https://lisz.me/tech/webmaster/ca-ssl.html
foreword
The Necessity of HTTPS for Intranet
The development team or the company generally adopts measures such as internal and external network isolation and Internet behavior filtering to more reliably ensure that the internal device cannot be detected by the external network, so it may be considered that the HTTP internal website is a relatively safe existence. Even today when HTTPS certificates are so prevalent, HTTPSization of internal sites is not considered for the time being. The access method of IP + Port or http://本地域名is still a guest. Of course, if you consider the cost of purchasing an HTTPS certificate or it is too troublesome to use a free certificate such as Letsencrypt for your team’s intranet site (you can only apply for a new certificate every three months by DNS verification), then a self-signed SSL certificate becomes the first choice. However, if you generate an SSL certificate for each intranet site, and then have everyone manually mark HTTPS as trusted, you might get screwed when faced with a large number of intranet sites. A more feasible way is to generate a root certificate for intranet, and only mark the root certificate as trustworthy .
root certificate
Instead of trusting the SSL certificate generated by someone else’s root certificate, it is better to trust the SSL certificate generated by your own root certificate. After all, our purpose is not to ask anyone to mark our self-signed certificate as trusted, as long as the devices using the intranet site can be trusted. And becoming a root certificate that is trusted by the public is very difficult, and there may be no way to do it even after decades. Today’s existing root certificates are actually limited, and the familiar Letsencrypt, ZeroSSL, Cloudflare, etc. are not root certificates but intermediate certificates. A bit similar to the general agent and sub-agent, the root certificate has wide credibility in the industry, but it may be a bit too busy to let the root certificate generate certificates for individuals or enterprises. Therefore, the root certificate generates several intermediate certificates, and then the intermediate certificates generate the actual certificates for individuals or enterprises.
Generally speaking, the manufacturer of the operating system or browser will preset an internationally recognized root certificate. Below is a list of root certificates that are preconfigured on Mac OS.
practice
Without further ado, let’s practice how to generate your own root certificate and issue an SSL certificate.
Generate root certificate
Install OpenSSL (optional)
Only Mac OS and Ubuntu are considered here, and you can search for how to install in other environments.
# Mac OS brew install openssl # Ubuntu sudo apt install -y openssl
Create root key
Create the root key zhonger-key.pem with the following command.
openssl genrsa -out zhonger-key.pem 4096
Create root certificate and sign
Use the newly created root key zhonger-key.pem to generate a root certificate and enter relevant information.
openssl req -new -x509 -days 3600 -key zhonger-key.pem -out zhongerca.pem
╰─ $ openssl req -new -x509 -days 3600 -key zhonger-key.pem -out zhongerca.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.' , the field will be left blank. ----- Country Name ( 2 letter code ) [ AU]:CN State or Province Name ( full name ) [ Some-State]:Shanghai Locality Name ( eg, city ) [] :Shanghai Organization Name ( eg, company ) [ Internet Widgits Pty Ltd]:zhonger Organizational Unit Name ( eg, section ) [] :zhonger Common Name ( eg server FQDN or YOUR name ) [] :lisz.me Email Address [] :[email protected]
Verify root certificate
─ $ openssl x509 -text -in zhongerca.pem -noout Certificate: Data: Version: 3 ( 0x2 ) Serial Number: 44:48:03:56:ff:15:57:03:00:34:1f:85:61:ca:f7:7a:1e:4f:38:8f Signature Algorithm: sha256WithRSAEncryption Issuer: C = CN, ST = Shanghai, L = Shanghai, O = zhonger, OU = zhonger, CN = lisz.me, emailAddress = [email protected] Validity Not Before: Aug 3 05:25:47 2022 GMT Not After : Jun 11 05:25:47 2032 GMT Subject: C = CN, ST = Shanghai, L = Shanghai, O = zhonger, OU = zhonger, CN = lisz.me, emailAddress = [email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: ( 4096 bit ) Modulus: 00:b2:d1:47:73:8a:83:48:e3:47:1a:41:01:f6:63: 69:43:39:71:eb:2b:74:be:dc:63:f3:df:79:66:ee: 00:30:65:b3:4f:7e:58:88:00:13:09:e6:4f:74:57: fa:a3:56:24:cd:b6:1f:53:25:77:98:bf:9f:45:64: 7c:6c:04:23:c4:8f:0f:bf:2e:b3:d1:2e:4c:05:4d: 4c:e6:65:54:ad:0c:35:b7:d9:c8:74:97:19:c7:a5: cd :9a:a4:73:37:13:71:80:34:7c:bc:b3:41:5a:34: bb:16:82:44:18:a1:0a:a5:f5:f1:07:ca:8d:b3:9a: ef:74:fb:a0:6c:72:4a:53:5c:59:74:6f:aa:c7:bc: 48:26:af:1b:70:f3:5f:7f:c7:df:8d:e5:da:e4:f4: d2:fa:90:d3:e2:67:e1:9a:df:c7:c4:c7:53:6f:62: 25:ed:ff:0a:17:cf:8d:4d:84:6b:38:cb:49:e7:3d: c5:2b:15:76:e6:eb:cc:17:94:40:20:7d:ee:8c:36: 6d:cf:9c:d7:1f:a6:41:20:9d:45:cd:57:8f:a8:61: f8:8b:e9:31:6a:a9:96:c1:db:57:64:0b:09:da:ca: b3:07:d9:55:ed:fe:69:a0:9c:78:5b:59:a5:7b:a1: 2b:4d:68:22:b4:7f:db:c6:c1:12:ee:eb:9b:29:38: ae:7b:4c:0d:2a:ab:33:3f:af:a8:7b:ca:89:2c:62: 0f:a8:ef:89:60:9e:fd:a2:df:36:6d:70:82:8b:fa: b3:ee:79:7e:fd:3f:e7:90:84:58:85:7e:7e:69:07: 1e:50:05:0b:87:4d:66:e4:17:6b:c2:97:03:48:e4: 7d:08:b4:81:a6:05:80:60:5c:eb:8d:53:db:7c:62: a8:6d:a7:75:f1:56:b6:d9:0d:6b:3b:be:8b:72:39: 8d:e7:2d:77:74:e3:4d:a1:fd:8b:44:f9:ee:fd:0d: 04:ec:6a:fc:f3:d2:15:fc:18:ff:7d:33:44:2b:6d: 7f:3c:33:21:e1:d8:5f:08:fa:53:fd:26:fb:6e:74: d7:4b:51:62:d3:15:1b:3b:44:78:78:9b:91:c7:ba: 82:2b:12:d7:b2:83:0a:39:ec:5e:a9:a9:c1:04:a6: 2e:64:a5:ea:15:c3:85:e9:ac:38:6b:22:eb:3b:08: b8:0a:31:10:df:45:1d:76:81:e0:0f:88:e4:00:ef: 6e:90:59:8c:d8:36:e9:77:bf:4a:0e:3d:03:02:4d: 5d:a7:90:16:81:11:e0:81:bb:e0:18:a3:bb:dc:8d: 7d:c6:cf:c6:0b:d2:80:53:ea:d0:27:e6:6a:cc:8e: 2b:b3:72:e4:ab:84:88:e2:e9:a5:bb:72:9a:c6:a2: 0e:5a:cb Exponent: 65537 ( 0x10001 ) X509v3 extensions: X509v3 Subject Key Identifier: EE:EF:AE:DB:73:45:9A:6E:82:00:3C:A7:05:0D:60:E4:20:81:3B:02 X509v3 Authority Key Identifier: keyid:EE:EF:AE:DB:73:45:9A:6E:82:00:3C:A7:05:0D:60:E4:20:81:3B:02 X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha256WithRSAEncryption 98:cf:f4:23:61:d2:2a:64:ce:51:57:1d:fb:61:2f:34:68:86: c9:02:5a:c8:97:80:58:c1:7f:04:e1:97:f5:0b:35:d5:c4:91: fa:98:8c:73:16:43:b3:af:63:af:2c:30:cf:6a:8e:10:99:bc: fd:3d:84:c7:3d:01:e0:8d:8d:d8:76:74:12:69:1a:f5:e5:ec: ef:eb:dc:f8:08:0c:c7:03:19:de:c5:e8:c7:4e:b4:5c:67:39: 9f:33:11:6f:29:e1:03:d8:4e:70:09:7a:69:bd:3a:db:96:71: 2b:38:c4:46:87:f6:59:34:f9:dc:5c:6d:34:9a:ba:ea:36:13: d8:e3:e3:91:ea:70:3b:ea:39:cb:fc:fd:08:0f:73:e5:16:c3: 0d:9a:62:20:3f:5a:28:90:e6:b2:65:23:a1:ba:d0:77:c0:8e: 16:51:55:44:f6:4b:16:b9:a1:97:bc:f8:95:70:af:a6:d4:07: 27:21:96:78:0b:58:18:51:45:a6:ea:07:c8:09:1b:ad:f3:e1: 16:be:64:bf:8f:b7:4c:d1:e6:d0:c6:c1:db:cd:3d:e9:88:ec: e2:87:ff:bd:c3:7b:31:23:00:c3:71:53:90:68:46:99:7d:1d: e1:78:26:76:6a:41:8d:9e:9a:55:97:63:a5:df:86:fc:03:9b: 28:13:55:ff:74:f2:56:d9:20:02:e8:c9:90:4f:b1:5d:1b:66: 57:4e:f7:c6:50:4f:c9:8b:ff:39:a1:9e:b4:ee:2b:8a:bf:46: b4:3e:65:cb:34:12:73:bc:ae:ba:a5:41:20:d4:b9:c5:c4:da: 89:bd:50:83:27:71:7a:9f:2c:3e:cf:de:db:13:b1:39:cf:4a: 39:62:68:b3:f5:dc:49:44:3e:c1:cf:0c:a4:9a:4b:cb:5e:ec: aa:33:a5:57:ae:c6:f3:4f:69:01:d1:6a:a7:12:90:88:05:e9: 18:d8:3a:a7:89:70:55:ab:18:ba:4f:28:74:5b:5f:21:8e:66: bc:ae:ff:1b:c7:ed:42:73:c1:1c:a4:97:f2:e6:c7:5a:8f:a8: 44:a5:ed:b7:76:ac:cf:40:f0:a4:4f:22:03:d0:db:db:6e:18: 32:33:4a:79:c2:bb:98:20:71:03:a7:9c:ea:4e:7e:0a:28:79: 30:f3:3f:ef:03:b2:e0:00:b0:2b:71:27:8b:fc:f9:a0:e5:b9: a0:9e:6f:93:3a:f3:d3:1c:87:8a:b7:2d:5c:38:ab:f9:ff:39: 8b:52:a5:9a:95:2f:a0:82:b9:b6:f8:9a:c3:e3:55:dd:4b:b5: e4:e3:fb:f8:8b:10:50:f8:42:7d:03:fe:72:40:c1:d3:f7:26: a7:f9:de:b9:9d:30:26:94
Install root certificate
When opening the just-generated root certificate zhongerca.pem for the first time, it will display “This root certificate is not trusted” as shown below. We can change the system default when using this certificate to always trust , and then enter the operating system user password. Save changes. After the modification, open it again, as shown in the following figure, and display “This certificate has been marked as trusted by this account”. In this way, certificates issued by this root certificate will be trusted.
Issuing a certificate
Here we plan to use jsha/minica to assist in quickly issuing certificates.
install minica
# Mac OS brew install minica # Other OS go install github.com/jsha/minica@latest
Issuing an SSL certificate
# 给域名签发SSL 证书minica -ca-cert zhongerca.pem -ca-key zhonger-key.pem --domains "sni.lisz.me,zhonger.io,*.zhonger.io" # 给IP 签发SSL 证书minica -ca-cert zhongerca.pem -ca-key zhonger-key.pem --ip-addresses "127.0.0.1"
minica provides a very simple way to issue SSL certificates, such as specifying the root certificate and root key, specifying single or multiple domain names, wildcard domain names and IP. The default validity period of the certificate issued by minica is 2 years and 30 days (I believe it may be an extra month due to the 30-day buffer period). Here, we imitate Cloudflare’s SSL certificate generation method. The first domain name is the sni.根证书域名, and the second one is the domain name that we really want to issue. Because minica will use the first domain name as the folder name by default to generate the SSL certificate cert.pem and key.pem files, if this method is used to execute the above issuing command in the same directory, the old files will be overwritten, so it is recommended to use Certonly Or modify the directory name like acme.sh to distinguish.
other
mkcert
In addition to minica, the mkcert tool provided by FiloSottile/mkcert is also very simple and convenient. mkcert will generate the root certificate by itself, and then issue the certificate. Personally, compared to minica, mkcert is more suitable for personal local development of HTTPS rather than team intranet HTTPS.
The root certificate is forged
The worrying thing about self-generated root certificates is that anyone can forge similar root certificates in the same way. In fact, the root certificate is unique, even if all the information is set to be the same, there are still two root certificates. What we need to do is:
- Protect the root certificate key, because using the same key can generate a relatively similar root certificate. Of course, the serial ID and valid time of the two root certificates are not exactly the same. If the keys are different, naturally the key IDs of the two root certificates will not be the same.
- Tell the user what the real root certificate looks like (serial ID, key ID, valid time, etc.) and where it should be downloaded from. Here, a site for downloading root certificates needs to be established on the intranet, and the SSL certificate of this site is best to be purchased or applied for. In other words, the intranet HTTPS-based root certificate downloaded from a reliable site is also reliable.
As shown below, it is a comparison of the root certificate generated above and the key ID of the issued SSL certificate. As you can see, the two are exactly the same, a trusted SSL certificate.
Install the root certificate on other platforms
The above has mentioned how to install the root certificate in Mac OS. Other platforms such as Windows, Linux, Android, IOS, etc. can also follow a similar way, with slight differences. Considering that the steps for installing the root certificate for Windows and Linux desktop versions are almost the same as those for Mac OS, we will not repeat them here. Here we mainly talk about the installation methods for Linux Server, Android, and IOS platforms.
Linux Server
sudo cp zhongerca.pem /usr/local/share/ca-certificates/zhongerca.pem sudo update-ca-certificates
Android or HarmonyOS
Take Huawei HarmonyOS as an example, first download the root certificate to the device, and then select the downloaded root certificate in Settings > Security > More Security Settings > Encryption and Credentials > Install from Storage Device to complete the installation. After the installation is complete, you can see the installed root certificate under Trusted Credentials > Users at the same level.
IOS or iPad OS
First download the root certificate to the device, click Open in the file (it will automatically jump to Settings > General > VPN and Device Management ). You can see the root certificate in the configuration profile list, click it to enter the password and verify it.
References
- Difference between root certificate and intermediate certificate
- Generate an Azure Application Gateway self-signed certificate with a custom root CA
- open environment
- How to use mkcert: How to quickly create a self-signed SSL certificate
This article is reprinted from: https://lisz.me/tech/webmaster/ca-ssl.html
This site is for inclusion only, and the copyright belongs to the original author.