Here's all the steps I followed to create an SSL certificate for the API. Here's an outline of the same:
- Generate a Certificate Authority - we import the generated file to Chrome and add it to our Trusted Root Certificates
- Create a Private Key - this is what we use to "sign" a new certificate signing request
- Create a Certificate Signing Request - done using the Private Key
- Create a Config File - sets up DNS stuff for localhost
- Generate a Public Certificate - signed with Private Key and by Certificate Authority
- Forward Secrecy - from NodeJS documentation using Diffie-Hellman key-agreement protocol
IMPORTANT NOTE: if you're prompted for a Common Name
in any of the following commands, enter localhost
Use Node version 16.10.0
- Check version using
node --version
- Switch version using
nvm use 16.10.0
- Install it using
nvm i 16.10.0
). This ensures TLS v1.3 is enforced (better security).
All OpenSSL-related tasks will occur in a folder titled certs
in this repo. Run the following commands to set it up:
mkdir certs
cd certs
Let's proceed with the steps to generate a Root CA and certificate.
Step 1: Generate a Private Key
openssl genrsa -out rootCAKey.pem 4096
Step 2: Generate a Self-Signed Root Certificate Authority
openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 3650 -out rootCACert.pem
openssl genrsa -out server-key.pem 4096
openssl req -new -key server-key.pem -out server-csr.pem
touch v3.ext
nano v3.ext
This file can help "resolve" the DNS to localhost. I was facing the issue before where it said it couldn't verify the 'Common Name' of the certificate. I tried using 127.0.0.1
, localhost
, localhost:3001
, https://localhost:3001
, and so on, however, that didn't resolve it.
The following solution helps get around that.
This will create a new file v3.ext
and open a text editor. Add the following contents to the file
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
Exit the file by clicking Ctrl X
followed by y
to save the changes.
You can also add an IP address to alt_names
in the following way
IP.1 = 0.0.0.0
Using this extensions file, we'll finally generate a public certificate
openssl x509 -req -in server-csr.pem -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out server-cer.pem -days 500 -sha256 -extfile v3.ext
openssl x509 -in server-cer.pem -text -noout
Intense security stuff that's apparently good
openssl dhparam -outform PEM -out dhparam.pem 2048