- Install OpenSSL
- Create certs and verify them as described below
- Configure backend to use HTTPS: Setting TLS=1 and verify paths to server cert and key.
- Check start of log when starting up backend that reading the cert does not cause an exception
- Call the backend to verify. With Bruno settings - tick SSL/TLS Certificate Verification then set the custom CA certificate.
- Check using CURL that certificate is OK. More at TLS Certificate Verification using command
curl --cacert ca.crt https://localhost:8989/status
Generate a password (optional)
Make up your own or you could for instance use the randomUUID() function from JS crypto module in browser dev tools like:
console.log(crypto.randomUUID());
// 65eaf536-887d-498a-9185-4bd1232c9166
Generate an AES encrypted private key
openssl genrsa -aes256 -out ca.key 4096
Use the password you generated when asked. If successful it will generate file ca.key
Create the CA Certificate (1826 days = 5 years)
openssl req -x509 -new -nodes -key ca.key -sha256 -days 1826 -out ca.crt -subj "/emailAddress=kaj@lund.com/CN=dev.kajlund.com/C=FI/ST=Western Finland/L=Pietarsaari/O=KajLund"
It will ask for the key password and if successful should create file ca.key. Install it in your Trusted Root Certificate Store.
Create a Certificate for your Server
openssl req -new -nodes -out server.csr -newkey rsa:4096 -keyout server.key -subj "/emailAddress=kaj@lund.com/CN=dev.kajlund.com/C=FI/ST=Western Finland/L=Pietarsaari/O=KajLund"
If successful it should create the file server.csr.
Create file for SAN properties
Create a file server.v3.ext containing something like:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = host.docker.internal
IP.1 = 127.0.0.1
Sign the server certificate using the CA key
You need the password for the CA.
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.pem -days 730 -sha256 -extfile server.v3.ext
If successful it should create your signed server certificate file as server.pem.
Test the certificates using OpenSSL
openssl verify -verbose -CAfile ca.crt server.pem
openssl s_client -showcerts -connect localhost:8989 -CAfile ca.crt
openssl s_client -showcerts -connect 127.0.0.1:8989
Certificate Signing Request Fields
| Attr | Name | Description/Sample |
|---|---|---|
| emailAddress | Approver Email | kaj@lund.com |
| CN | Common Name | dev.kajlund.com |
| O | Organization Name | KajLund |
| OU | Organizational Unit | IT |
| L | Locale | Pietarsaari |
| ST | State/Province | Western Finland |
| C | Country Code | FI |