OpenBSD Self-signed SSL Guide
OpenBSD uses LibreSSL by default (command interface is still openssl) and it comes with an easy way to add what are called subject alternative names. Nowadays, subject alternative names are needed for some browsers to allow you to make exceptions so you can visit your site.

Simulate a root login if you are not in root account
su -l (enter root password)

Now, let's generate a private key
openssl genrsa -out /etc/ssl/private/server.key XXXX

XXXX is key size. Use one of the following: 2048, 4096, or 8192. The higher the more secure, but slower the website will run.

Next step is to generate a CSR (certificate signing request)
openssl req -new -key /etc/ssl/private/server.key \
 -out /etc/ssl/private/server.csr

Alright, at this point you can give the .csr to a Certificate Authority for them to sign it. But since this is a self-sign tutorial, we will sign it ourselves. Before we sign it, we need to create a server.ext file that will contain the subject alternative names. Make a server.ext file, doesn't matter where. For this guide we will make it in our current working directory, so we don't need to include a path to it for the self-signing command. Use your favorite editor to make file... (I like nano)

nano server.ext

Now put this for the file...,

Change to your own domain name, if you are doing this just for a localhost test then use this instead..

Save and exit, now let's get to signing the CSR

openssl x509 -extfile server.ext -shaYYY -req -days ZZZ \
 -in /etc/ssl/private/server.csr \
 -signkey /etc/ssl/private/server.key \
 -out /etc/ssl/server.crt

YYY = 256, 384, or 512. The higher, the more secure.
ZZZ = The amount of days the SSL certicate will be valid for. This doesn't matter since you can easily re-issue a new self-signed certificate whenever. I usually just put 365.

OK and we are finished. Be sure to configure your SSL options correctly on your http software. Congratz!

Forum Jump:

Users browsing this thread: 1 Guest(s)