BRIX On-Premises > Prepare infrastructure > TLS/SSL certificates / Create self-signed TLS/SSL certificates with OpenSSL

Create self-signed TLS/SSL certificates with OpenSSL

Starting with Chrome version 58 and Firefox version 48, using certificates without specifying the SAN (Subject Alternative Name) attribute will cause the “Your connection is not secure” error.

начало внимание

Self-signed SSL certificates don’t provide reliable data protection against malicious users. We recommend using SSL certificates that are issued from trusted certificate authorities like Comodo, Symantec, Thawte, etc.

конец внимание

To generate an SSL certificate with the SAN attribute, make sure you have OpenSSL installed in your system and do the following:

 

  1. Create a root CA certificate. It will be used to issue other certificates. Fill out the form that appears. When prompted, enter the Common Name that is the fully qualified domain name of your server:

sudo openssl genrsa -des3 -out /etc/ssl/private/rootCA.key 2048
sudo openssl req -x509 -new -nodes -key /etc/ssl/private/rootCA.key -sha256 -days 365 -out /etc/ssl/certs/rootCA.pem

 

  1. Create the /ext/ssl/v3.ext configuration file with the following content (where mydomain.com is the fully qualified domain name of your server):

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
 
[alt_names]
DNS.1 = mydomain.com

  1. Create a self-signed certificate using the configuration file and the root certificate. Fill out the form that appears. When prompted, enter the Common Name that is the fully qualified domain name of your server:

sudo openssl genrsa -out /etc/ssl/private/selfsigned.key 2048
sudo openssl req -new -key /etc/ssl/private/selfsigned.key -out /etc/ssl/certs/selfsigned.csr
sudo openssl x509 -req -in /etc/ssl/certs/selfsigned.csr -CA /etc/ssl/certs/rootCA.pem -CAkey /etc/ssl/private/rootCA.key -CAcreateserial -out /etc/ssl/certs/selfsigned.crt -days 365 -sha256 -extfile /etc/ssl/v3.ext

 

  1. When installing or updating BRIX or data bases the selfsigned.key key. selfsigned.crt certificate, and rootCA.pem CA root certificate are used.