Wiki page ssl changed with summary [added mkcert and changed every necessary configuration based on mkcert ] by Daniel

2023-01-07 21:08:49 +01:00 · 2023-01-07 21:08:49 +01:00 · 2bd93d87e7
parent b1fad2daa8
commit 2bd93d87e7
1 changed files with 70 additions and 36 deletions
--- a/pages/en/server/services/ssl.txt
+++ b/pages/en/server/services/ssl.txt
@ -11,14 +11,43 @@ nextcloud.domain SERVER-IP
 </code>


-===== Generating the private key and root certificate =====
+===== mkcert =====
+
+[[https://github.com/FiloSottile/mkcert|mkcert]] is a simple tool for making locally-trusted development certificates. It requires no configuration.
+
+
+==== Packages ====

 <code>
-openssl genrsa -des3 -out myCA.key 2048
+pacman -S nss mkcert
+</code>
+
+
+==== Create root certificate ====
+
+<code>
+mkcert -install
+</code>
+
+
+==== Create certificates for your domains ====
+
+<code>
+mkcert nextcloud.home
+</code>
+
+
+===== Manually =====
+
+
+==== Generating the private key and root certificate ====
+
+<code>
+openssl genrsa -des3 -out rootCA.key 2048
 </code>

 <code>
-openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem
+openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1825 -out rootCA.pem
 </code>

 Change the following information as you wish. It appears when you view the certificate through your browser.
@ -33,39 +62,18 @@ Email Address []:
 </code>


-===== Installing your root certificate on all the devices =====
-
-You'll need to create a ''myCA.pem'' file on every device and copy the content of cat ''myCA.pem'' file wherever you created it in section [[#generating-the-private-key-and-root-certificate]].
-
-
-==== Arch Linux ====
+==== Creating CA-Signed certificates for your domains ====

 <code>
-sudo trust anchor --store myCA.pem
-</code>
-
-
-==== Android ====
-
-''Settings'' - ''Security'' - ''Encryption and credentials'' - ''Install a certificate''
-
-Check under:
-
-''Settings'' - ''Security'' - ''Trusted credentials'' - ''User''
-
-
-===== Creating CA-Signed certificates for your domains =====
-
-<code>
-openssl genrsa -out domain.home.key 2048
+openssl genrsa -out nextcloud.home-key.pem 2048
 </code>

 <code>
-openssl req -new -key DOMAIN.home.key -out DOMAIN.home.csr
+openssl req -new -key nextcloud.home-key.pem -out nextcloud.home.pem
 </code>

 <code>
-nano DOMAIN.home.ext
+nano nextcloud.home.ext
 </code>

 <code>
@ -75,11 +83,11 @@ keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
 subjectAltName = @alt_names

 [alt_names]
-DNS.1 = DOMAIN.home
+DNS.1 = nextcloud.home
 </code>


-==== Script ====
+=== Script ===

 Create the file in ''nano /etc/nginx/ssl/ssl.sh''.

@ -94,8 +102,8 @@ fi

 DOMAIN=$1

-openssl genrsa -out $DOMAIN.key 2048
-openssl req -new -key $DOMAIN.key -out $DOMAIN.csr
+openssl genrsa -out $DOMAIN-key.pem 2048
+openssl req -new -key $DOMAIN-key.pem -out $DOMAIN.pem

 cat > $DOMAIN.ext << EOF
 authorityKeyIdentifier=keyid,issuer
@ -106,16 +114,40 @@ subjectAltName = @alt_names
 DNS.1 = $DOMAIN
 EOF

-openssl x509 -req -in $DOMAIN.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial \
+openssl x509 -req -in $DOMAIN.pem -CA rootCA.pem -CAkey rootCA.key -CAcreateserial \
 -out $DOMAIN.crt -days 825 -sha256 -extfile $DOMAIN.ext
 </code>

 <code>
 chmod +x ssl.sh
-./ssl.sh domain.home
+./ssl.sh nextcloud.home
 </code>


+===== Installing your root certificate on all the devices =====
+
+You'll need to create a ''rootCA.pem'' file on every device and copy the content of ''cat rootCA.pem'' file wherever you created it in section [[#generating_the_private_key_and_root_certificate]] (manually). 
+
+If you used [[#mkcert]] just run this command ''cat $(mkcert -CAROOT)/rootCA.pem''.
+
+
+==== Arch Linux ====
+
+<code>
+sudo trust anchor --store rootCA.pem
+</code>
+
+
+==== Android ====
+
+''Settings'' - ''Security'' - ''Encryption and credentials'' - ''Install a certificate''
+
+Check under:
+
+''Settings'' - ''Security'' - ''Trusted credentials'' - ''User''
+
+
+
 ===== Nginx =====

 Check also [[/en/server/services/nginx]]
@ -134,6 +166,8 @@ ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
 ssl_ecdh_curve secp384r1;
 ssl_session_cache shared:SSL:10m;
 </code>
+
+
 ==== example ====

 <code>
@ -151,8 +185,8 @@ server {
        listen [::]:443 ssl http2;
        server_name nextcloud.home;

-        ssl_certificate /etc/nginx/ssl/nextcloud.home.crt;
-        ssl_certificate_key /etc/nginx/ssl/nextcloud.home.key;
+        ssl_certificate /etc/nginx/ssl/nextcloud.home.pem;
+        ssl_certificate_key /etc/nginx/ssl/nextcloud.home-key.pem;
        include conf.d/ssl-params.conf;
    
        access_log /var/log/nginx/nextcloud.home_access_log;