Wildcard Self Signed Certificate for your Homelab or other internal projects...
I've been on a homelab kick as of late and get annoyed by the constant barrage of browsers warning me that the site I'm going to isn't safe. There's a few ways to skin this potato but I'm going to go with a self signed wildcard certificate signed by a self signed certificate authority. I'll apply the cert to the servers/services or to my Nginx Proxy Manager to handle the certificate side of things and add the CA to the Trusted Root Certificate Authority repository on my computer(s).
I'm running all of these commands on a stock Alpine Linux VM with curl and bash installed, however you'll be able to do this on most linux distro's. Windows 10 information below as well.
NOTE: This creates a certificate for homelab.local and *.homelab.local. Feel free to change to a domain that reflects your own setup/needs.
Create the CA Certificate
First the Key to sign the CA with:
openssl genrsa -des3 -out homelabCA.key 4096When issuing this command, you'll need to enter a pass phrase. I used Bitwarden to generate a 32 character one, but you can do as you wish.
Create a CA Certificate with the newly created CA Key.
openssl req -new -x509 -days 3650 -key homelabCA.key -out homelabCA.crtYou'll be asked some questions here. Enter them as you wish, or hit enter all the way through. Your choice.
Now you have a SelfSigned CA Key and Certificate.
Self Signed Wildcard Certificate
From here we need to create a wildcard key for our homelab domain (homelab.local).
openssl genrsa -out wildcard.key 2048For the next step you need to create a config file for the CSR process. I created mine and saved it as wildcard.cnf and it looks like this:
[req]
default_md = sha256
prompt = no
req_extensions = req_ext
distinguished_name = req_distinguished_name
[req_distinguished_name]
commonName = *.homelab.local
countryName = US
stateOrProvinceName = IA
localityName = SmallTown
organizationName = HomeLab
[req_ext]
keyUsage=critical,digitalSignature,keyEncipherment
extendedKeyUsage=critical,serverAuth,clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=homelab.local
DNS.2=*.homelab.localNow create the CSR from the template and the previously created key with:
openssl req -new -nodes -key wildcard.key -config wildcard.cnf -out wildcard.csrSign the Wildcard Certificate with the SelfSignedCA
Sign the wildcard certificate with the SelfSignedCA certificate and key.
openssl x509 -req -in wildcard.csr -CA homelabCA.crt -CAkey homelabCA.key -CAcreateserial -out wildcard.crt -days 1024 -sha256 -extfile wildcard.cnf -extensions req_extYou should have a good number of files now as shown below:
root@web1:/root/ssl# ls
wildcard.cnf homelabCA.crt homelabCA.key homelabCA.srl wildcard.crt wildcard.csr wildcard.keyMake the SelfSignedCA Trusted by your browsers/computers
Import homelabCA.crt and homelabCA.key into your Trusted Root Certificate Authorities repository and use wildcard.crt and wildcard.key for your servers/services and/or proxy.
As long as you have your DNS up to snuff, you should be able to navigate to your apps with https://appname.homelab.local and not be annoyed with yet another warning.
tl;dr, here's a lazy script to do this for you, you just need to enter your pass phrase and answer your normal certificate questions then move the certificates/keys to their respective places (proxy, app/service, Trusted Root CA, etc.)
#/bin/bash
openssl genrsa -des3 -out homelabCA.key 4096
openssl req -new -x509 -days 3650 -key homelabCA.key -out homelabCA.crt
openssl genrsa -out wildcard.key 2048
touch wildcard.cnf
echo -n "
[req]
default_md = sha256
prompt = no
req_extensions = req_ext
distinguished_name = req_distinguished_name
[req_distinguished_name]
commonName = *.homelab.local
countryName = US
stateOrProvinceName = IA
localityName = SmallTown
organizationName = HomeLab
[req_ext]
keyUsage=critical,digitalSignature,keyEncipherment
extendedKeyUsage=critical,serverAuth,clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=homelab.local
DNS.2=*.homelab.local
" >> wildcard.cnf
openssl req -new -nodes -key wildcard.key -config wildcard.cnf -out wildcard.csr
openssl req -noout -text -in wildcard.csr
openssl x509 -req -in wildcard.csr -CA homelabCA.crt -CAkey homelabCA.key -CAcreateserial -out wildcard.crt -days 1024 -sha256 -extfile wildcard.cnf -extensions req_extWindows 10 via Powershell
I won't write up the whole thing, as it's largely the same, however I did have to install OpenSSL vis the winget cmdlet and set the PATH before it worked. Here's the script (save as a .ps1):
winget install ShiningLight.OpenSSL.Light
$env:PATH += ";C:\Program Files\OpenSSL-Win64\bin"
openssl genrsa -des3 -out homelabCA.key 4096
openssl req -new -x509 -days 3650 -key homelabCA.key -out homelabCA.crt
openssl genrsa -out wildcard.key 2048
New-Item -Path "wildcard.cnf" -ItemType File -Value "
[req]
default_md = sha256
prompt = no
req_extensions = req_ext
distinguished_name = req_distinguished_name
[req_distinguished_name]
commonName = *.homelab.local
countryName = US
stateOrProvinceName = IA
localityName = SmallTown
organizationName = HomeLab
[req_ext]
keyUsage=critical,digitalSignature,keyEncipherment
extendedKeyUsage=critical,serverAuth,clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=homelab.local
DNS.2=*.homelab.local
"
openssl req -new -nodes -key wildcard.key -config wildcard.cnf -out wildcard.csr
openssl req -noout -text -in wildcard.csr
openssl x509 -req -in wildcard.csr -CA homelabCA.crt -CAkey homelabCA.key -CAcreateserial -out wildcard.crt -days 1024 -sha256 -extfile wildcard.cnf -extensions req_ext
Comments ()