Creating SSL certificates can be tricky, but fortunately, there are tools that make it easy to set up locally signed SSL certificates on your servers. This article explains how to use mkcert , a tool that allows you to easily create these locally signed SSL certificates on your own server and gain the same level of validation that you would have from an externally signed certificate, without the hassle of going through a certificate authority (CA).
Get the tools
Before we get started, you’ll need to download and install mkcert. You can find the latest release for your platform on the mkcert GitHub page. In order to use mkcert, you will also need a basic understanding of Linux command line functions. If this is not the case, take some time to learn how commands work before continuing. Once you have mkcert installed, run it with the -h flag for help documentation. For example mkcert -h. From there, copy and paste one of the following examples into your terminal prompt and replace server with the domain name or IP address that should be included in the server name field when generating certificates
Create a Certificate Signing Request (CSR)
A Certificate Signing Request (CSR) is a block of encoded text that is given to a Certificate Authority when applying for an SSL Certificate. It contains information about the applicant and the public key that will be used. To create a CSR, use the following command mkcert -newca -n Pesky Puppies -e expired
$ ./mkcert -newca -n Pesky Puppies -e expired The private key has been saved in /home/user/.mkcert-tester/private_key.pem.
Create the certificate signing request (CSR)
A certificate signing request (CSR) is a block of encoded text that is given to a Certificate Authority when applying for an SSL Certificate. It is typically generated by the server where the certificate will be installed. It contains information that will be included in the certificate such as the organization name, common name (domain name), locality, and country. The CSR also contains the public key that will be used to generate the certificate. There are two methods of generating the CSR: one method includes all necessary fields while another method generates a blank template and leaves them blank so they can be filled out later. If you plan on using the latter method, make sure you remember to fill out all necessary fields before submitting your application! Once you have generated your CSR it can be sent to us for review. We’ll send back instructions on how to complete your order along with instructions on how to install your SSL certificate.
Create your own certificate authority (CA)
Creating your own certificate authority (CA) can be a great way to add an extra layer of security to your online communications. Using mkcert, you can easily create locally signed SSL certificates that will be trusted by your web browser. Here’s how to use mkcert to generate your CA and certificates in one command.
- Create a text file called mkcert-ca with the following content: OpenSSL req -x509 -newkey rsa:4096 -days 730 -nodes -keyout ca-key.pem \ -out ca-cert.poem
- Create a text file called mkcert-user with the following content
Run OpenSSL verify
Using OpenSSL, you can create a locally signed SSL certificate. This is useful for creating a secure connection to a web server. To do this, you will need to download and install OpenSSL. Once you have done this, you can use the OpenSSL command to generate a certificate. The first argument of the command specifies what type of key we want to create, in this case, it would be RSA. The second argument specifies where we want the output file (the location must exist). Finally, the third argument specifies that we want it to be an RSA public key with a 2048-bit modulus