For some of my own subdomains, I use my own CA to sign the certificates. With this CA installed I can be assured that the site I am connecting to is either approved by a Globally Trusted CA, or that I've signed it myself. This is an added bonus on top of everything being encrypted in transport.
By installing this certificate you place absolute trust in me not to MITM your connections to facebook, gmail, natwest, etc. and also that I will not allow the CA key to be compromised. I will obviously conduct best effort but no guarantees exist.
PEM Certificate: philcrumpCA.cert.pem
DER Certificate: philcrumpCA.crt
Installing the Certificate in Chrome
- Download the PEM Certificate File from the top of this page
- Settings -> Show Advanced Settings -> HTTPS/SSL -> Click Manage Certificates
- Authorities -> Click Import -> Select the PEM file -> Tick Trust this certificate for identifying websites -> OK
Try the website again, the certificate should now be trusted.
You can remove the certificate at any time, this will remove the trust.
Installing the Certificate in Android
Due to the mandatory lockscreen after installing credentials on Android, I have not yet attempted this.
However I've found instructions here: jethrocarr.com/2012/01/04/custom-ca-certificates-and-android/
And some instructions on using root to bypass the mandatory lockscreen here: wiki.pcprobleemloos.nl/android/cacert
Process for signing a new SSL cert
Generate SSL Key
openssl genrsa -out ''hostname''.key.pem 4096
Generate Signing Request
openssl req -sha256 -new -key ''hostname''.key.pem -out ''hostname''.csr.pem
Sign the Request with the CA files
openssl ca -keyfile philcrumpCA.key.pem -cert philcrumpCA.cert.pem -extensions usr_cert -notext -md sha256 -in ''hostname''.csr.pem -out ''hostname''.cert.pem
Nginx config segment
... listen 443 ssl spdy; listen [::]:443 ssl spdy; spdy_headers_comp 4; server_name ''fullhostname''; add_header Strict-Transport-Security 'max-age=31536000'; keepalive_timeout 240; ssl_certificate /etc/nginx/ssl/''hostname''.cert.pem; ssl_certificate_key /etc/nginx/ssl/''hostname''.key.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 48h; ssl_buffer_size 4k; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; ....
Process for creating the CA files
Generate the key, then use it to create the certificate. Keep the keyfile safe.
openssl genrsa -aes256 -out CA.key.pem 4096 chmod 400 CA.key.pem openssl req -new -x509 -days 3650 -key CA.key.pem -sha256 -extensions v3_ca -out CA.cert.pem
Before signing any certifications, the directory for the CA index store has to be set up.
mkdir -p ./demoCA/newcerts echo "01" > demoCA/serial touch demoCA/index.txt