search by tags

for the user

adventures into the land of the command line

get ssl working for local development in firefox with a self signed certificate

generate your ca key & ca certificate

$ openssl ecparam -genkey -name prime256v1 -out whatever_ca.key

$ openssl req -x509 -new -SHA256 -nodes -key whatever_ca.key -days 3650 -subj "/C=AU/ST=Victoria/L=Melbourne/O=Whatever/OU=Ops/CN=api.localhost.whatever.com/[email protected]" -out whatever_ca.crt

generate your server key and certificate signing request. note the SAN stuff was for chrome before version 65.

$ openssl ecparam -genkey -name prime256v1 -out whatever_server.key

$ openssl req -new -SHA256 -key whatever_server.key -nodes -subj "/C=AU/ST=Victoria/L=Melbourne/O=Whatever/OU=Ops/CN=api.localhost.whatever.com/[email protected]" -reqexts SAN -extensions SAN -config 

self sign the csr

$ openssl x509 -req -SHA384 -days 3650 -in whatever_server.csr -CA whatever_ca.crt -CAkey whatever_ca.key -CAcreateserial -out whatever_server.crt

and don’t forget the dhparam for the eliptic curve stuff

$ openssl dhparam -out floyd.pem 2048

setup your nginx in your local environment

server {
    listen 80;
    server_name www.whatever.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen                      443;
    server_name                 www.whatever.com;
    access_log                  /var/log/nginx/nginx_access.log;
    error_log                   /var/log/nginx/nginx_error.log;
    add_header                  Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    ssl                         on;
    ssl_certificate             /etc/ssl/whatever_server.crt;
    ssl_certificate_key         /etc/ssl/whatever_server.key;
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers   on;
    ssl_ciphers                 "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !MEDIUM";
    ssl_dhparam                 /etc/ssl/whatever.pem;
    keepalive_timeout           10;
    ssl_session_cache           shared:SSL:10m;
    ssl_session_timeout         10m;

    location / {
        .
        .
        .
    }
}

if you check your app in the browser now, firefox will tell you the certificate was signed by an untrusted authority (hey that’s you!)

in the firefox quantum web browser (i have version 58) click preferences and then find the view certificates area.

go to the authorities tab and click on import. add your whatever_ca.crt to this area. select the checkboxes you want and then firefox will save it and use it to verify your certificates.

BAM green padlock woohoo.