{"id":854,"date":"2018-10-07T21:35:48","date_gmt":"2018-10-07T18:35:48","guid":{"rendered":"http:\/\/kifarunix.com\/?p=854"},"modified":"2024-03-11T20:09:58","modified_gmt":"2024-03-11T17:09:58","slug":"how-to-create-self-signed-ssl-certificate-with-mkcert-on-ubuntu-18-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-create-self-signed-ssl-certificate-with-mkcert-on-ubuntu-18-04\/","title":{"rendered":"Create Locally Trusted SSL Certificates with mkcert on Ubuntu 18.04"},"content":{"rendered":"\n

Hello folks, welcome to this very tutorial on how to create locally trusted SSL certificates<\/span> with mkcert on Ubuntu 18.04. mkcert<\/a><\/strong> is a simple zero-config tool that is used to make locally trusted development certificates. It <\/span>automatically creates and installs a local CA in the system root store, and generates locally-trusted certificates.<\/p>\n\n\n\n

Creating Locally Trusted SSL Certificates with mkcert<\/h2>\n\n\n\n

Installing mkcert on Ubuntu<\/h3>\n\n\n\n

As a prerequisite, you are required to install certutil<\/strong>, a command-line utility that can create and modify certificate and key databases before you can install mkcert utility.<\/span><\/p>\n\n\n\n

sudo apt install libnss3-tools -y<\/code><\/pre>\n\n\n\n
Once the installation of certutil is done, download the current version of mkcert pre-built binary from Github releases page<\/a>.<\/p>\n\n\n\n
As of this writing, the current version of mkcert is v1.4.3<\/p>\n\n\n\n
So download the current version and install it as shown below<\/p>\n\n\n\n
wget https:\/\/github.com\/FiloSottile\/mkcert\/releases\/download\/v1.4.3\/mkcert-v1.4.3-linux-amd64<\/code><\/pre>\n\n\n\n
sudo cp mkcert-v1.4.3-linux-amd64 \/usr\/local\/bin\/mkcert<\/code><\/pre>\n\n\n\n
sudo chmod +x \/usr\/local\/bin\/mkcert<\/code><\/pre>\n\n\n\n
Generate Local CA on Ubuntu<\/h3>\n\n\n\n
Now that the mkcert utility is installed, run the command below to generate your local CA.<\/p>\n\n\n\n
mkcert -install<\/code><\/pre>\n\n\n\n
The local CA is now installed in the system trust store! \u26a1\ufe0f\nThe local CA is now installed in the Firefox and\/or Chrome\/Chromium trust store (requires browser restart)! \ud83e\udd8a<\/code><\/pre>\n\n\n\n
The root CA is stored under #HOME\/.local\/share\/mkcert<\/strong>. <\/p>\n\n\n\n
You can print the location directory of the root CA path by running the command below.<\/p>\n\n\n\n
mkcert -CAROOT<\/code><\/pre>\n\n\n\n
\/home\/amos\/.local\/share\/mkcert<\/code><\/pre>\n\n\n\n
If you encounter the error:<\/p>\n\n\n\n
ERROR: no Firefox and\/or Chrome\/Chromium security databases found<\/code><\/pre>\n\n\n\n
Just launch the browsers and re-run the install command.<\/p>\n\n\n\n
Creating Locally Trusted SSL Certificates with mkcert<\/h3>\n\n\n\n
Now that you have your local CA, run the command below to generate local SSL certificates using mkcert command.<\/p>\n\n\n\n
mkcert kifarunix-demo.com '*.kifarunix-demo.com' localhost 127.0.0.1 ::1<\/code><\/pre>\n\n\n\n
Sample command output;<\/p>\n\n\n\n
\nCreated a new certificate valid for the following names \ud83d\udcdc\n - \"kifarunix-demo.com\"\n - \"*.kifarunix-demo.com\"\n - \"localhost\"\n - \"127.0.0.1\"\n - \"::1\"\n\nReminder: X.509 wildcards only go one level deep, so this won't match a.b.kifarunix-demo.com \u2139\ufe0f\n\nThe certificate is at \".\/kifarunix-demo.com+4.pem\" and the key at \".\/kifarunix-demo.com+4-key.pem\" \u2705\n\nIt will expire on 31 August 2023 \ud83d\uddd3\n<\/code><\/pre>\n\n\n\n
You have the certificate and key in the current working directory;<\/p>\n\n\n\n
ls -1 .\/kifarunix-demo.com+*<\/code><\/pre>\n\n\n\n
 .\/kifarunix-demo.com+4-key.pem\n .\/kifarunix-demo.com+4.pem<\/code><\/pre>\n\n\n\n
Enable Web Server HTTPS using the Certificates<\/h3>\n\n\n\n
The certificates are now installed and it is time to enable your webserver to use them for HTTPS connections.<\/p>\n\n\n\n
To configure Apache to use these certificates, edit the default ssl configuration file, \/etc\/apache2\/sites-available\/default-ssl.conf<\/strong> and change the SSL certificate and key file to point to the locally generated cert and key file above.<\/p>\n\n\n\n
See the example below. Note the certificates are in my home directory. <\/p>\n\n\n\n
Be sure to replace the paths accordingly.<\/strong><\/p>\n\n\n\n
sudo sed -i 's#\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem#\/home\/koromicha\/kifarunix-demo.com+4.pem#; s#\/etc\/ssl\/private\/ssl-cert-snakeoil.key#\/home\/koromicha\/kifarunix-demo.com+4-key.pem#' \/etc\/apache2\/sites-available\/default-ssl.conf<\/code><\/pre>\n\n\n\n
To verify this;<\/p>\n\n\n\n
grep -E \"SSLCertificateFile|SSLCertificateKeyFile\" \/etc\/apache2\/sites-available\/default-ssl.conf<\/code><\/pre>\n\n\n\n
\t\t#   SSLCertificateFile directive is needed.\n\t\tSSLCertificateFile\t\/home\/koromicha\/kifarunix-demo.com+4.pem\n\t\tSSLCertificateKeyFile \/home\/koromicha\/kifarunix-demo.com+4-key.pem\n\t\t#   the referenced file can be the same as SSLCertificateFile<\/code><\/pre>\n\n\n\n
Enable Apache to use SSL by loading the ssl modules;<\/p>\n\n\n\n
sudo a2enmod ssl<\/code><\/pre>\n\n\n\n
sudo a2ensite default-ssl.conf<\/code><\/pre>\n\n\n\n
Reload and restart Apache to activate the new configuration<\/p>\n\n\n\n
sudo systemctl restart apache2<\/code><\/pre>\n\n\n\n
Verify Local SSL Certs generated with mkcert<\/h3>\n\n\n\n
Navigate to the browser and try to access your domain.<\/p>\n\n\n\n
I am using local hosts file for my DNS entries.<\/p>\n\n\n\n
\"Create<\/figure>\n\n\n\n
Enable the Certificates for Nginx Web Server<\/h3>\n\n\n\n
Create your web page configuration as shown below.<\/p>\n\n\n\n
Replace the paths to the ceritificate and key accordingly<\/strong><\/p>\n\n\n\n
vim \/etc\/nginx\/sites-available\/example.com<\/code><\/pre>\n\n\n\n
\nserver {\nlisten 80;\nlisten 443 ssl;\n\nssl on;\nssl_certificate \/home\/koromicha\/kifarunix-demo.com+4.pem<\/strong>; \nssl_certificate_key \/home\/koromicha\/kifarunix-demo.com+4-key.pem<\/strong>;\n\nserver_name example.com;\nlocation \/ {\nroot \/var\/www\/html\/example;\nindex index.html;\n}\n}\n<\/code><\/pre>\n\n\n\n
Verify that the configuration has no error.<\/p>\n\n\n\n
nginx -t<\/code><\/pre>\n\n\n\n
nginx: the configuration file \/etc\/nginx\/nginx.conf syntax is ok\nnginx: configuration file \/etc\/nginx\/nginx.conf test is successful<\/code><\/pre>\n\n\n\n
Restart Nginx<\/p>\n\n\n\n
systemctl restart nginx<\/code><\/pre>\n\n\n\n
Navigate to the browser and test your ssl for your domain.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Well, seems up-to that far everything is fine.<\/p>\n\n\n\n
And that concludes our guide on how to create locally trusted SSL certificates with mkcert on Ubuntu 18.04.<\/p>\n\n\n\n
More mkcert<\/strong><\/code> usage information.<\/p>\n\n\n\n
mkcert --help<\/code><\/pre>\n\n\n\n
Other Tutorials<\/h2>\n\n\n\n
Configure Nginx with SSL\/TLS certificates on CentOS 8<\/a><\/p>\n\n\n\n
Monitor SSL\/TLS Certificate Expiry with Prometheus and Grafana<\/a><\/p>\n\n\n\n
Configure Apache with SSL\/TLS Certificates on CentOS 8<\/a><\/p>\n\n\n\n
Easy way to configure Filebeat-Logstash SSL\/TLS Connection<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Hello folks, welcome to this very tutorial on how to create locally trusted SSL certificates with mkcert on Ubuntu 18.04. mkcert is a simple zero-config tool<\/p>\n","protected":false},"author":1,"featured_media":8955,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,159,1187],"tags":[6678,3600,160,166,6679,3607,167,165],"class_list":["post-854","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-encryption","category-ssl-tls","tag-create-self-signed-ssl-certs-with-mkcert","tag-create-ssl-with-mkcert","tag-encryption","tag-https","tag-install-mkcert-on-ubuntu-linux","tag-locally-trusted-ssl-with-mkcert","tag-mkcert","tag-ssl","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/854"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=854"}],"version-history":[{"count":8,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/854\/revisions"}],"predecessor-version":[{"id":21043,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/854\/revisions\/21043"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/8955"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=854"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=854"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=854"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}