openssl ca, key, csr and crt

CA private key

openssl genrsa -out ca.key 2048

This one is private and should be kept in safe

CA certificate

# CA certificate
#   Country Name (2 letter code) []:UA
#   State or Province Name (full name) []:Kiev
#   Locality Name (eg, city) []:Kiev
#   Organization Name (eg, company) []:mac-blog.org.ua
#   Organizational Unit Name (eg, section) []:ca
#   Common Name (eg, fully qualified host name) []:mac-blog.org.ua
#   Email Address []:[email protected]
openssl req -x509 -new -key ca.key -out ca.crt -days 10000

This one should be shared and added to a trusted root certificates, so all certificates signed with private CA key created in previous step will be trusted

Private key

openssl genrsa -out cert.key 2048

Private key for our service

Certificate Signing Request (CSR)

# Certificate Signing Request
#   Country Name (2 letter code) []:UA
#   State or Province Name (full name) []:Kiev
#   Locality Name (eg, city) []:Kiev
#   Organization Name (eg, company) []:mac-blog.org.ua
#   Organizational Unit Name (eg, section) []:foo
#   Common Name (eg, fully qualified host name) []:foo.mac-blog.org.ua
#   Email Address []:[email protected]
openssl req -new -key cert.key -out cert.csr

This one is not a certificate yet and usually is sent to certification authority for signing, but in our case we are CA

Sign certificate with CA

openssl x509 -req -in cert.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out cert.crt -days 100

Check whats inside

openssl x509 -in cert.crt -text

Test

default.conf

server {
    listen              80;
    listen              443 ssl;
    server_name         foo.marchenko.net.ua;
    ssl_certificate     cert.crt;
    ssl_certificate_key cert.key;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
}

docker run -it --rm -p 80:80 -p 443:443 -v $PWD/cert.crt:/etc/nginx/cert.crt -v $PWD/cert.key:/etc/nginx/cert.key -v $PWD/default.conf:/etc/nginx/conf.d/default.conf nginx:alpine

And now we can test if everything is ok

curl -v --cacert ca.crt --resolve foo.mac-blog.org.ua:443:127.0.0.1 https://foo.mac-blog.org.ua

Note how we are passing CA certificate which is safe to share to curl so it will recognize certificate and wont complain that it is self signed

To make real certificates it is better to use letsencrypt or cloudflare

The same thing but with SAN