【CA】Generate CA with mkcert

| 分类 安全工程师  | 标签 PKI  证书 

install & generate root CA with mkcert

You can install mkcert by download binaray from https://github.com/FiloSottile/mkcert/releases/download/ , then move it to your custom path.

generate Root CA like that:

i➜  /tmp  ᐅ  mkcert -install

(picture was take from it installed, that would be different from first time to install it) Screenshot from 2020-03-21 09-16-19

Also, you can find it in your local directory.

i➜  /tmp  ᐅ  ls -R ~/.local/share/mkcert
/home/mour/.local/share/mkcert:
rootCA-key.pem  rootCA.pem  test

/home/mour/.local/share/mkcert/test:
91sec.club.crt  91sec.club.key

generate cert with openssl & signed by your Root CA

i➜  /tmp  ᐅ  sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout 91sec.club.key  -out 91sec.club.crt
i➜  /tmp  ᐅ  mkcert -key-file 91sec.club.key -cert-file 91sec.club.crt docs.91sec.club

Now, upload your cert to remote server, and configure it by your cert. nginx -s reload

Screenshot from 2020-03-21 09-21-07

open your browser & test and verify

open your chrome browser, and access your website(In my scenario, i change my host point to my website)

Screenshot from 2020-03-06 15-52-07

Attention please, it’s only worked for those computer which was installed by your root CA. and not

If you want find where it is, please open your chrome and input chrome://settings/certificates?search=cert and click authorities tab. (that would be different in another platform. for example, cert management in MacOS was manager by keychain access)

Screenshot from 2020-03-21 09-14-09 Screenshot from 2020-03-21 09-14-26

So, this is a demo for you to learn CA part. if you want deep into it, you should know more about NSS, PKI, And so on.

Resources


上一篇     下一篇