Artikel ini akan membahas cara membuat Self-Signed Certificate dengan menggunakan OpenSSL dan cara untuk Trust CA ke browser.

• Membuat Root CA Self-Signed Certificate
• Membuat CSR untuk Certificate Request
• Sign CSR dengan Private Key dari Root CA
• Testing

Step 1 – Membuat Root CA Self-Signed Certificate

Tahap pertama yaitu membuat Private Key dan Certificate untuk Root CA

Private Key:
Passphrase ini nanti akan digunakan untuk melakukan sign certificate, bisa dibiarkan kosong

$ openssl genrsa -des3 -out rootCA.key 2048

Output:

Generating RSA private key, 2048 bit long modulus (2 primes)
.........................+++++
............................+++++
e is 65537 (0x010001)
Enter pass phrase for rootCA.key:
Verifying - Enter pass phrase for rootCA.key:

Certificate:
Isi pada beberapa fields yang penting

$ openssl req -new -x509 -days 3650 -key rootCA.key -out rootCA.crt

Output:

Enter pass phrase for rootCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ID
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:Enkrispi
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Enkrispi Root CA
Email Address []:

Step 2 – Membuat CSR untuk Certificate Request

Private Key:
Create Private Key untuk domain, gunakan flag -des3 untuk meng-enkripsi key

$ openssl genrsa -out domainku.key 2048

Output:

Generating RSA private key, 2048 bit long modulus (2 primes)
..........+++++
............................................................................+++++
e is 65537 (0x010001)

Certificate Signing Request (CSR)
Kita perlu membuat CSR untuk request Certificate ke CA. CSR ini berisi Public Key dan beberapa informasi tambahan. Pastikan isi field Common Name dengan domain yang akan digunakan

$ openssl req -new -key domainku.key -out domainku.csr

Output:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ID
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:Internal Servers
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:domainku.lan
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Step 3 – Sign CSR dengan Private Key dari Root CA

Buat file untuk SAN extension. SAN (Subject Alternative Name) ini bagian dari sertifikat SSL yang memungkinkan satu sertifikat digunakan untuk beberapa nama domain atau subdomain

$ nano domainku.ext

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
subjectAltName = @alt_names
[alt_names]
DNS.1 = domainku.lan

Kemudian sign CSR dengan Private Key Root CA yang dibuat pada tahap awal tadi dan tambahkan flag -ext untuk SAN Extension

$ openssl x509 -req -days 365 -CAcreateserial -CA rootCA.crt -CAkey rootCA.key -in domainku.csr -out domainku.crt -extfile domainku.ext

Output

Signature ok
subject=C = ID, L = Default City, O = Internal Servers, CN = domainku.lan
Getting CA Private Key
Enter pass phrase for rootCA.key:

Pada tahap ini SSL sudah bisa digunakan ke server yang memiliki domain domainku.lan

Chain Certificate
Gabungkan certificate issued domain dan root CA menjadi 1 file, ini yang nanti akan digunakan pada server

$ cat domainku.crt rootCA.crt > domainku_chain.crt

Testing

Pengaplikasian pada Nginx untuk Reverse Proxy

Copy file domainku_chain.crt dan domainku.key ke server yang akan install certificate

$ scp -P1622 domainku.key domainku_chain.crt root@domainku.lan:/etc/ssl
root@domainku.lan's password:
domain.key                                                                                                              100% 1743     1.2MB/s   00:00
domain_chain.crt                                                                                                        100% 2542     1.4MB/s   00:00

Konfigurasi SSL pada Nginx

$ nano /etc/nginx/sites-available/grafana

Isi file

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    server_name domainku.lan;

    listen [::]:80 default_server ipv6only=off;
    return 301 https://$host$request_uri;
}

server {
    server_name domainku.lan;

    ssl_certificate /etc/ssl/domainku.crt;
    ssl_certificate_key /etc/ssl/domainku.key;

    listen [::]:443 ssl default_server ipv6only=off; 
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

    ssl_protocols TLSv1.2;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    proxy_buffering off;

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

Symlink ke sites-enabled/

$ ln -s /etc/nginx/sites-available/grafana /etc/nginx/sites-enabled/

Restart Service

$ service nginx restart

Buka URL pada browser maka akan keluar https Not Secure dengan pesan Error NET::ERR_CERT_AUTHORITY_INVALID

Certificate sudah berhasil di load

Untuk menghilangkan pesan Error ini kita perlu trust root CA di browser

Pada Microsoft Edge masuk ke menu Settings > Privacy, search, and services > Manage Certificates pilih tab Trusted Root Certification Authorities kemudian Import, pada bagian file rootCA.crt yang tadi dibuat kemudian klik Next sampai muncul pop-up success

Pada menu Trusted Root Certification Authorities pastikan Root CA kita sudah muncul

Refresh pada halaman domainku.lan maka voila domain pesan error sudah hilang

Notes

1. Melihat isi file certificate
   $ openssl x509 -noout -text -in domain.crt
2. Create PrivKey dan CSR dengan 1 command
   $ openssl req -newkey -nodes rsa:2048 -keyout domainku.key -out domainku.csr
3. Create PrivKey dan Cert Root CA dengan 1 command
   $ openssl req -x509 -sha256 -days 1825 -newkey rsa:2048 -keyout rootCA.key -out rootCA.crt