1. Create and trust root CA certificates
openssl req -x509 -newkey rsa:4096 -sha256 -days 3560 -nodes \
-subj "/CN=*.fazuh/C=US/L=City" \
-keyout rootCA.key -out rootCA.crt
openssl genrsa -out server.key 40962. Trust root CA certificates
Archlinux
sudo cp rootCA.crt /etc/ca-certificates/trust-source/anchors/
sudo update-ca-trustUbuntu
sudo cp rootCA.crt /usr/local/share/ca-certificates/
sudo update-ca-certificatesYour device (including your browser) should detect these certificates automatically.
To remove, simply delete the rootCA.crt file in /etc/ca-certificates/trust-source/anchors, and update using sudo update-ca-trust.
2. Create subdomain certificates
Note
Replace
<SUBDOMAIN>with your subdomain.
SUBDOMAIN=<SUBDOMAIN>
openssl req -new -key server.key -out server-"$SUBDOMAIN".csr \
-subj "/C=US/ST=State/L=City/O=Organization/CN=$SUBDOMAIN.fazuh" \
-addext "subjectAltName=DNS:$SUBDOMAIN.fazuh,DNS:fazuh" \
-addext "keyUsage=digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment" \
-addext "basicConstraints=CA:FALSE"
openssl x509 -req -in server-"$SUBDOMAIN".csr \
-CA rootCA.crt -CAkey rootCA.key \
-CAcreateserial -out server-"$SUBDOMAIN".crt \
-days 3650 -sha256 \
-copy_extensions copyUse for nginx:
ssl_certificate:server-<subdomain>.crtssl_certificate_key:server.key
Author notes
ssl_certificate /etc/nginx/ssl/SUBDOMAIN.fazuh/fullchain.cer;ssl_certificate_key /etc/nginx/ssl/SUBDOMAIN.fazuh/private.key;