Shaon Majumder · Follow
--
Securing your web applications with SSL certificates is crucial for ensuring the confidentiality and integrity of data transmitted between the client and server. In this tutorial, we’ll walk through the process of generating a self-signed SSL certificate with a Subject Alternative Name (SAN) for an Apache web server on Ubuntu.
Before you begin, make sure you have the following:
- Ubuntu server with Apache installed
openssltool installed
At the beginning, Go to your frontend folder
Create a directory for certificates
mkdir certificates
cd certificatesopenssl genpkey -algorithm RSA -out private.keygenpkey: This sub-command is used for generating private keys.-algorithm RSA: Specifies the algorithm to be used for key generation. In this case, RSA (Rivest–Shamir–Adleman), a widely used asymmetric cryptographic algorithm.-out private.key: Specifies the output file for the generated private key. In this example, the private key will be saved in a file namedprivate.key.
[Not Recommended] If you want your private.key remains password protected, then -
openssl genpkey -algorithm RSA -aes256 -out private.key-aes256:
- Indicates the encryption algorithm to be used for the private key. In this case, it’s AES (Advanced Encryption Standard) with a key length of 256 bits. This parameter ensures that the private key is encrypted using AES-256 for added security. The user will be prompted to enter a passphrase during the key generation process, and this passphrase is used to encrypt the private key.
You’ll be prompted to enter a passphrase; remember this passphrase as you’ll need it later.
Create a file named san.conf with the following content:
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no[req_distinguished_name]
CN = localhost
C = BD
ST = Dhaka
L = Motijheel
O = Robist
OU = Developers
emailAddress = smazoomder@gmail.com
[req_ext]
subjectAltName = IP:192.168.0.88
(In Ip place your IP)
[req]: This section specifies the attributes for the certificate request.distinguished_name = req_distinguished_name: Refers to the distinguished name section, where you define various details about the entity requesting the certificate.req_extensions = req_ext: Points to the extensions section, which allows you to include additional information in the certificate.prompt = no: Disables prompting for certificate details during the certificate creation process.[req_distinguished_name]: Defines various distinguished name attributes, such as Common Name (CN), Country (C), State (ST), Locality (L), Organization (O), Organizational Unit (OU), and Email Address.CN = localhost: Specifies the Common Name (CN), typically the domain name associated with the certificate.C = BD: Country attribute, indicating the country (Bangladesh in this case).ST = Dhaka: State attribute, specifying the state or region (Dhaka in this case).L = Motijheel: Locality attribute, indicating the locality or city (Motijheel in this case).O = Robist: Organization attribute, denoting the organization name (Robist in this case).OU = Developers: Organizational Unit attribute, representing the organizational unit or department (Developers in this case).emailAddress = smazoomder@gmail.com: Email address associated with the certificate.[req_ext]: Extensions section, allowing for the inclusion of additional extensions in the certificate.subjectAltName = IP:192.168.0.88: Specifies the Subject Alternative Name (SAN) extension, including an IP address (192.168.0.88) as an alternative identifier for the entity associated with the certificate.
Breakdown of Subject Alternative Name (SAN) :
- Subject: In the context of SSL/TLS certificates, the “subject” typically refers to the entity (such as a website or server) for which the certificate is issued. It often includes information like the Common Name (CN), organization, and location.
- Alternative Name: The “Alternative Name” refers to additional identifiers that can be included in the SSL/TLS certificate. These identifiers go beyond the Common Name (CN) and provide flexibility in specifying other valid names for the certificate.
Why SAN is Needed:
- Support for Multiple Identifiers: SAN allows a single SSL/TLS certificate to be valid for multiple identifiers. Traditionally, SSL certificates were issued based on the Common Name (CN) field, which represented the main domain. However, with the growing need for flexibility, SAN enables the inclusion of additional names.
- Multi-Domain Certificates: SAN is particularly useful in scenarios where a single certificate needs to cover multiple domains or subdomains. Instead of obtaining separate certificates for each domain, a multi-domain certificate with SAN extension can include all the necessary identifiers.
- IP Addresses and Email Addresses: SAN is not limited to domain names; it can also include IP addresses and email addresses as alternative identifiers. This is valuable in situations where certificates need to cover services accessed via IP addresses or email communication.
- Wildcard Certificates: SAN is commonly used in conjunction with wildcard certificates. A wildcard certificate covers a domain and its subdomains, and SAN can further extend its coverage to additional domains.
- Avoidance of Certificate Mismatch Issues: Including SAN helps prevent issues related to certificate mismatches. When a user accesses a service through an alternative name, the presence of SAN ensures that the certificate is still considered valid.
In summary, Subject Alternative Name (SAN) is an extension to SSL/TLS certificates that allows for the inclusion of multiple identifiers, providing flexibility and broader coverage for various naming scenarios in secure communications.
openssl req -new -key private.key -out certificate.csr -config san.confopenssl req:
- This is the OpenSSL command used for creating and processing certificate requests.
-new:
- Indicates that a new CSR (Certificate Signing Request) is being generated.
-key private.key:
- Specifies the private key file to be used for generating the CSR. The private key generated in the previous step (
private.key) is used here.
-out certificate.csr:
- Specifies the output file where the generated CSR will be saved. In this example, the CSR will be saved to a file named
certificate.csr.
-config san.conf:
- Specifies a configuration file (
san.conf) that contains additional settings, including Subject Alternative Names (SANs) for the certificate.
openssl x509 -req -in certificate.csr -signkey private.key -out server.cert -days 365openssl x509:
- This is the OpenSSL command used for signing and displaying X.509 certificate files.
-req:
- Indicates that the input file (
certificate.csr) is a Certificate Signing Request (CSR).
-in certificate.csr:
- Specifies the input file containing the Certificate Signing Request (CSR) that needs to be signed. In this example, the CSR file is
certificate.csr.
-signkey private.key:
- Specifies the private key (
private.key) to be used for signing the CSR and generating the certificate.
-out server.cert:
- Specifies the output file where the signed X.509 certificate will be saved. In this example, the certificate file is named
server.cert.
-days 365:
- Specifies the validity period of the certificate in days. In this case, the certificate will be valid for 365 days (1 year).
An X.509 certificate is a digital certificate that follows the X.509 standard, which defines the format and structure for public-key certificates. These certificates are widely used in internet security protocols, including TLS/SSL for secure web communication. Here’s a breakdown of the X.509 certificate:
- Version: Indicates the version of the X.509 standard used in the certificate (e.g., version 1, 2, or 3).
- Serial Number: A unique identifier assigned by the certificate issuer (Certificate Authority) to differentiate certificates.
- Signature Algorithm: Specifies the cryptographic algorithm used by the Certificate Authority to sign the certificate.
- Issuer: Identifies the entity (usually a Certificate Authority) that issued the certificate.
- Validity Period: Defines the time period during which the certificate is considered valid. It includes a “Not Before” and “Not After” date.
- Subject: Identifies the entity (e.g., a person, organization, or device) associated with the public key in the certificate.
- Subject Public Key Info: Contains the public key and the algorithm used by the subject.
- Extensions: Additional information or attributes associated with the certificate. This may include Subject Alternative Names (SAN), key usage, and more.
- Certificate Signature Algorithm: Specifies the algorithm used by the Certificate Authority to sign the certificate.
- Certificate Signature Value: Contains the digital signature created by the Certificate Authority, ensuring the integrity and authenticity of the certificate.
- Authentication: Verifies the identity of the certificate holder (subject).
- Encryption: Facilitates secure communication by providing a means to encrypt data using the public key.
- Digital Signatures: Allows for the creation and verification of digital signatures, ensuring data integrity.
- Key Exchange: Supports the exchange of cryptographic keys in secure communication protocols.
- In the context of SSL/TLS protocols, X.509 certificates are essential for establishing secure connections between clients and servers. When a client connects to a secure website, the server presents its X.509 certificate, which the client verifies to ensure a secure and trusted connection.
- X.509 certificates may be self-signed for internal use or signed by a trusted Certificate Authority for public-facing websites.
Understanding X.509 certificates is crucial for anyone involved in web security, system administration, or software development.
Update your Apache VirtualHost configuration (/etc/apache2/sites-available/your-site.conf):
<VirtualHost *:443>
ServerName localhost
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/your-project/backend/public SSLEngine on
SSLUseStapling off
SSLCertificateFile /var/www/html/your-project/certificates/server.cert
SSLCertificateKeyFile /var/www/html/your-project/certificates/private.key
ServerAlias 192.168.0.88
<Directory "/var/www/html/your-project/backend/public">
Options All
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:443>: Defines a VirtualHost block for HTTPS communication on port 443.
ServerName localhost: Specifies the primary domain name associated with this VirtualHost. In this case, it is set to “localhost.”
ServerAdmin webmaster@localhost: Email address of the server administrator.
DocumentRoot /var/www/html/your-project/backend/public: Sets the document root directory for this VirtualHost. This is the location where the web server looks for files to serve.
SSLEngine on: Enables the SSL engine for this VirtualHost, indicating that it should handle SSL connections.
SSLUseStapling off: Disables SSL stapling. SSL stapling is a mechanism to enhance SSL/TLS certificate verification, but it’s turned off in this example.
SSLCertificateFile /var/www/html/your-project/certificates/server.cert: Specifies the path to the SSL certificate file. This is the public key certificate file generated in previous steps.
SSLCertificateKeyFile /var/www/html/your-project/certificates/private.key: Specifies the path to the private key file associated with the SSL certificate.
ServerAlias 192.168.0.88: Additional domain names or IP addresses that this VirtualHost should respond to. In this case, it includes the IP address 192.168.0.88.
<Directory "/var/www/html/your-project/backend/public">: Begins the configuration block for the specified directory.
Options All: Allows all available options for this directory.
AllowOverride All: Allows the use of the .htaccess file for configuration overrides in this directory.
Require all granted: Grants access to all users.
</Directory>: Ends the configuration block for the specified directory.
</VirtualHost>: Ends the VirtualHost block.
- This configuration block ensures that Apache knows how to handle SSL connections for the specified domain (localhost and 192.168.0.88). It points to the SSL certificate files and defines access settings for the associated directory.
- Make sure to replace placeholders like “/var/www/html/your-project” with the actual paths used in your project.
Then enable it :
sudo a2ensite your-site.confsudo systemctl restart apache2You’ll be prompted to enter the passphrase for the SSL/TLS keys.
sudo tail -f /var/log/apache2/error.logLook for any error messages related to SSL.
cd /var/www/html/your-project/backend
sudo chmod -R 775 storage
sudo chown -R www-data:www-data storageNow, you should be able to access your application securely at https://192.168.0.88 (Your IP)
in frontend env :
REACT_APP_NAME = 'your-project'
REACT_APP_VERSION = v1.1.0
GENERATE_SOURCEMAP = falseREACT_APP_API_BASE_URL='https://192.168.0.88/api'
REACT_APP_ASSET_BASE_URL='https://192.168.0.88/storage'
REACT_APP_MAIN_DOMAIN='192.168.0.88:3000'
REACT_APP_API_DOMAIN='https://192.168.0.88'
REACT_APP_BACK_DOMAIN = 'https://192.168.0.88'
REACT_APP_SITE_KEY = 'your-key'
in backend env :
APP_URL=https://192.168.0.88
APP_SITE_URL="https://192.168.0.88:3000"Congratulations! You have successfully created a self-signed SSL certificate with a Subject Alternative Name for your Apache web server on Ubuntu.
If you have a problem, then run
sudo systemctl restart apache2cd /var/www/html/your-project/backend
sudo chmod -R 775 storage
sudo chown -R www-data:www-data storageEnsure that your /etc/hosts file includes an entry for localhost and the IP address 192.168.0.88(your IP)
- Creating Authority & Convert the certificate to CRT format:
openssl x509 -in server.cert -out server.crt- Convert Certificate and Key to PKCS#12 Format:
openssl pkcs12 -export -out certificate.pfx -inkey private.key -in server.certYou’ll be prompted to enter the passphrase for the private key.
3. Import Certificate into Chrome:
- Open Chrome and go to
Settings. - Scroll down and click on
Advanced. - Under
Privacy and security, click onManage certificates. - In the
Certificateswindow, go to thePersonaltab. - Click on
Importand select thecertificate.pfxfile you generated. - Follow the import wizard, enter the passphrase when prompted, and choose the certificate store.
4. If you want to make sure to add the Certificate Authority(CA) in trusted list :
sudo cp server.crt /usr/local/share/ca-certificates/server.crt
sudo update-ca-certificatesUse the following command to make sure that your certificates have been added to the trust list:
awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep -i localhostTo check the full details of the certificate, you can use OpenSSL or another tool. For example, using OpenSSL:
openssl x509 -in server.cert -text -nooutCheck Expiry Date: Ensure that the SSL certificate has not expired. You can use the following OpenSSL command to check the expiry date:
openssl x509 -enddate -noout -in server.certVerify Certificate Content:
You can use OpenSSL to view the content of your certificate and private key files. Check if they contain the expected information:
openssl x509 -in server.cert -text -noout
openssl rsa -in private.key -text -nooutIf you need that, the private key file is not password-protected. If it is, you may need to remove the passphrase from the private key.
openssl rsa -in private.key -out private.keyIf you want to verify the certificate
openssl verify server.crt