Skip to content

Create signed certificate

Jump to bottom
Rafael Cunha edited this page Dec 2, 2021 · 2 revisions

This is a brief tutorial on how to create a private key and self-signed certicate to be used with Xerock.

⚠️ This tutorial is for test purpose ONLY! Is not intended to be used at any production environment, or be any kind of source of knowledge about security or SSL.

We are going to:

  • Create a private key and certificate to a Certificate Authority;
  • Generate a private key and a signed certificate to be used with Xerock;

At this tutorial, will be used the following variable (change for your envirioment):

#use your own domain
NAME=mydomain.com 
#localhost, use your daemon IP
IP=127.0.0.1

As output, you will have the following files (others files created are not needed anymore):

  • myCA.pem - CA certificate. Upload this file at your browser;
  • mydomain.com.key - private key generated. Use with option -k/--key of Xerock daemon;
  • mydomain.com.crt - signed certificate. Use with option -c/--cert of Xerock daemon;
#Set your envirioment variables
$ NAME=mydomain.com 
$ IP=127.0.0.1

#Generate CA private key (type a passphrase as asked)
$ openssl genrsa -des3 -out myCA.key 2048
#Generate root certificate (it will be asked the passphrase just created, a some other info)
$ openssl req -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem

#Generate a private key to your domain
$ openssl genrsa -out $NAME.key 2048
#Create a certificate-signing request (answer all questions)
$ openssl req -new -key $NAME.key -out $NAME.csr

# Create a config file for the extensions (paste the following command)
$ >$NAME.ext cat <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $NAME 
IP.1 = $IP
EOF

# Finally, create the signed certificate
$ openssl x509 -req -in $NAME.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out $NAME.crt -days 825 -sha256 -extfile $NAME.ext

Now you must upload the CA certificate created (myCA.pem) to your browser. At Chrome go to Settings > Privacy and Security > Security > Manage certificates > Authorities. Click in Import and select the myCA.pem file.

Now, compile Xerock with SSL support (-DWITH_SSL=1) and run using the following command:

$ ./xerock -c <path to file>/mydomain.com.crt -k <path_to_file>/mydomain.com.key <port>

Access the interface and try to connect to the the daemon using SSL.

If you need to convert your PEM certificate to a CRT format, user this command:

openssl x509 -outform der -in myCA.pem -out myCA.crt

This tutorial was based at this anwser.

Clone this wiki locally