Self-signed TLS Certificate in Linux

Sun 21 August 2016 by Thejaswi Puthraya

Today, I had the necessity to embed an iframe on an HTTPS web page and most browsers now won't allow you to embed an HTTP resource on an HTTPS page raising the mixed content warning. Since the code was quite experimental, I didn't want to deploy it out of localhost. So I setup a self-signed TLS certificate for localhost that was accepted by Google Chrome browser.

First, we need to create a key that will be used to sign our certificate. You will be prompted for a password, which you can enter for now:

openssl genrsa -camellia256 -out server.key 2048

Let's remove the passphrase from the key now:

cp server.key server.key.orig
openssl rsa -in server.key.orig -out server.key

Next, we need to create a certificate signing request (CSR) with the above created key. Enter the information you are prompted for:

openssl req -new -key server.key -out server.csr

Create a certificate with validity of 365 days for the above CSR:

openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt

You can use the above server.key and server.crt in any web server or application of your choice.

Create a single file with the certificate and private key to be added into the store:

cat server.key server.crt > localhost.pem

Finally, add this certificate into our trusted store so that Chrome doesn't complain:

certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "localhost" -i localhost.pem

Your browser shouldn't complain any more with your self-signed certificate successfully added into the store.