If your request is for a domain that ends in ".dev", it will be automatically signed and you will be able to download the certificate immediately. Otherwise, the request will require approval and you will receive an email with your signed certificate after it is complete.
(Make sure to include your email address when you generate the CSR, so that the system knows where to send your signed certificate!)
Generate a private key:
openssl genrsa -des3 -out server.pem 2048
Create an OpenSSL config file with your CSR details, e.g.
[ req ] default_bits = 2048 default_keyfile = server.pem distinguished_name = req_distinguished_name req_extensions = req_exts [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Oregon localityName = Locality Name (eg, city) localityName_default = Portland 0.organizationName = Organization Name (eg, company) 0.organizationName_default = IndieWeb emailAddress = Email Address emailAddress_max = 64 emailAddress_default = firstname.lastname@example.org commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 commonName_default = example.dev [ req_exts ] subjectAltName = @alt_names extendedKeyUsage = serverAuth [ alt_names ] DNS.1 = *.example.dev DNS.2 = *.example.net
Generate a certificate signing request (CSR)
openssl req -new -sha256 -key server.pem -config csr.conf -out request.csr
View a CSR's details
openssl req -text -noout -verify -in request.csr
View a certificate
openssl x509 -in example.dev.crt -text -noout
In order to avoid the SSL certificate warning from your browser when visiting a site that uses your new certificate, you'll need to add the IndieWebCamp certificate authority to your system.
Opening this file on OS X will prompt you to add it to your keychain. Once you do that, your browser should recognize any site signed by this root certificate.
add to ubuntu
By Aaron Parecki