Sometimes for development, a self-signed certificate is enough, which is relatively simple to create. However, in some cases some apps and browsers will still cause trouble with self-signed certs.

Of course, the right way(tm) to go about is having a proper, widely recognized and trusted Certificate Authority sign your certificates. However, sometimes this isn't suitable when the website is meant to be part of a highly private network that no third party CA can verify or you are working in an environment where it's simply not possible.

Below I'm describing some steps that can be followed to produce your own Certificate Authority files that can be imported in your OS so you can sign your own certificates and have them accepted by your system.

Creating the CA certificate files

For the creation of the Root Certificate files necessary for the CA we will be relying on openssl. This toolkit is Free Software available on many systems, so it's a portable and reliable way to work with certificates and cryptographic keys.

Below an example on how to generate a key pair with file name devCA.

openssl genrsa -aes256 -out devCA.key 4096
openssl req -x509 -new -nodes -key devCA.key -sha256 -days 3650 -out devCA.pem

The first command will create the private key. It'll ask you to set a password (remove -aes256 if you don't want it password-protected).

The second command will produce the certificate in PEM format and ask you some details that typically are properties of a certificate.

The answers to those questions won't matter much, since it'd be a private CA.. though you might want to add some short description as the "Common Name" (what usually contains the FQDN in certificates), since this would be used in a few places when displaying it.

Installing the CA in your OS

Windows

1. Launch the Microsoft Management Console: type mmc.exe "Run" dialog (Win+R)

2. Choose File > Add/Remove Snap-ins.

3. Select "Certificates" from the list and add it.

4. Now in the main window, the following location should be available in the sidepanel tree view, expand it: Console Root -> Trusted Root Certification Authorities -> Certificates

5. Right click that folder entry on the tree and choose: All Tasks -> Import...

6. Follow the indications to import the PEM file.

Linux

In Linus it's just as simple as copying the PEM file to /usr/local/share/ca-certificates/ with crt extension and calling the appropriate command to refresh the CA store.

sudo cp devCA.pem /usr/local/share/ca-certificates/devCA.crt
sudo update-ca-certificates

Java VM

If we are testing/using java appications that might rely on the use of that CA, we will need to add the certificate to the JVM truststore. For this we can use the keytool command included with the JDK. Instructions below (assuming it uses the default password "changeit").

# convert the PEM certificate to DER binary format
openssl x509 -in devCA.pem -inform pem -out devCA.der -outform der
# check that keytool recognizes the DER certificate as valid (optional)
keytool -v -printcert -file devCA.der
# import it into the trust store from the $JAVA_HOME JRE installation
keytool -importcert -alias startssl -keystore "$JAVA_HOME/jre/lib/security/cacerts" -storepass changeit -file devCA.der
# confirm it has been imported
keytool -keystore "$JAVA_HOME/jre/lib/security/cacerts" -storepass changeit -list | grep myCA

Sign a certificate with your custom CA

Now to actually make use of that CA we created. We'll create a signed certificate with the CA we just created.

You can create a private key, in a similar way as when creating the CA files. You can choose whatever name you prefer (normally you'll want the filename to match the domain...) but in this case I'll just call it devcert.

openssl genrsa -out devcert.key 2048

Now, since it's gonna be a signed certificate, we create a public key as a CSR (Certificate Signing Request) file.

openssl req -new -key devcert.key -out devcert.csr

We'll also need an ext file that defines some properties for the signed certificate. Below is how you can create such file on bash for whateveryourdomainis.local (replace that with your domain).

You could also add extra domains for the same certificate by adding DNS.2, DNS.3, and/or specify IP addresses with IP.1, IP.2, etc.

cat >devcert.ext <<EOF
# v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
extendedKeyUsage=serverAuth

[alt_names]
DNS.1 = whateveryourdomainis.local
EOF

Then, we can produce the signed certificate devcert.crt with the following command:

openssl x509 -req -in devcert.csr -CA devCA.pem -CAkey devCA.key -CAcreateserial -sha256 -extfile devcert.ext -out devcert.crt -days 825