Skip to content

HTTPS certificate

Prerequisites

OpenSSL

Depending of the platform, download the latest version of OpenSSL:

  1. Download OpenSSL from fireDeamon
  2. Install OpenSSL in a directory (where you want, e.g. C:\program files\fireDeamon\openssl)

Install OpenSSL using package installer

sudo apt-get update
sudo apt-get install openssl

  1. If Homebrew is not already installed, install it first:

    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

  2. Install OpenSSL using Homebrew:

    brew install openssl

Create the c (CA)

Instead of having the certificate validated by a paying authority, we'll generate our own CA.

Warning

We assume that OpenSSL is in the system PATH, otherwise add the path to OpenSSL to all the following commands.

  1. Create a certificates/CA directory:

    1. Open a terminal DOS

    2. Create a packager\certificates\CA directory

      mkdir C:\packager\certificates\CA

    3. Change to this directory

      cd C:\packager\certificates\CA
    1. Open a terminal DOS

    2. Create a packager/certificates/CA directory

      mkdir ~/packager/certificates/CA

    3. Change to this directory

      cd ~/packager/certificates/CA
    1. Open a terminal

    2. Create a packager/certificates/CA directory

      mkdir $HOME/Desktop/packager/certificates/CA

    3. Change to this directory

      cd $HOME/Desktop/packager/certificates/CA

  2. Generate the private key:

    > openssl genrsa -des3 -out ./avatarCA.key 2048

    During generation, a passphrase is requested (e.g. avatar). This will be used to sign host certificates.
    You can enter want you want but remember it!

    Expected result:

    Generating RSA private key, 2048 bit long modulus (2 primes)
........................................................................+++++
..........................................+++++
e is 65537 (0x010001)
Enter pass phrase for avatarCA.key:
Verifying - Enter pass phrase for avatarCA.key:

  3. Generate the root certificate in .pem format:

    > openssl req -x509 -new -nodes -key ./avatarCA.key -sha256 -days 10000 -out ./avatarCA.pem

    The certificate is generated for a period of 10,000 days.
    At the time of generation, the passphrase of the previous key is requested.
    A number of questions are asked, which are answered.

    Enter informations for the Country, State, Locality as you want.
    Enter avatar for the Organization nameand the Common name. Press enter key for blank.

    Expected result:

    Enter pass phrase for avatarCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:Ile de france
Locality Name (eg, city) []:Paris
Organization Name (eg, company) [Internet Widgits Pty Ltd]:avatar
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:avatar
Email Address []:

  4. Generate the root certificate in crt format:

    > openssl x509 -in ./avatarCA.pem -inform PEM -out ./avatarCA.crt

    We now have 3 files in the certificates/CA directory:

    • avatarCA.key => The private key
    • avatarCA.pem => Root certificate in pem format
    • avatarCA.crt => Root certificate in crt format

Create a certificate for the host client

Now we can generate a certificate for the client host and sign it with the CA.

Warning

The <server name> is the name of your server and it will be used throughout the procedure for naming files.
Replace all the time <server name> to YOUR server name !

For example:
The name of YOUR server on which the client is installed is “PC-HOME”.
All the time, when you will see , you'll need to replace it by “pc-home” (in lower case, it works).

  1. Create a certificates/hote directory:

    1. Open a terminal DOS

    2. Create a packager\certificates\hote directory

      mkdir C:\packager\certificates\hote

    3. Change to this directory

      cd C:\packager\certificates\hote
    1. Open a terminal DOS

    2. Create a packager/certificates/hote directory

      mkdir ~/packager/certificates/hote

    3. Change to this directory

      cd ~/packager/certificates/hote
    1. Open a terminal

    2. Create a packager/certificates/hote directory

      mkdir $HOME/Desktop/packager/certificates/hote

    3. Change to this directory

      cd $HOME/Desktop/packager/certificates/hote

  2. Generate the private key:

    > openssl genrsa -out ./<server name>.key 2048

  3. Generate the CSR (Certificate Signing Request):

    > openssl req -new -key ./<server name>.key -out ./<server name>.csr

    A number of questions are answered:

    • Enter informations for the Country, State, Locality as you want.
    • Enter avatar for the Organization nameand the Common name.
    • Press enter key for blank.
    • IMPORTANT: You must enter the server name as it is called from the outside in the CN (Common Name) field.

    Expected result:

    You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:ile de france
Locality Name (eg, city) []:Paris
Organization Name (eg, company) [Internet Widgits Pty Ltd]:avatar
Organizational Unit Name (eg, section) []:avatar
Common Name (e.g. server FQDN or YOUR name) []:<server name>
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

  4. Create the configuration file for the subdomain:

    • In the /certificates/hote directory, edit a new <server name>.ext file.

    • Add these values to the file, setting DNS.1 to the server name:

      authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = <server name>

    • Save the file.

  5. Sign the certificate with the CA, valid for 10,000 days: 

    > openssl x509 -req -in ./<server name>.csr -CA ../CA/avatarCA.pem -CAkey ../CA/avatarCA.key -CAcreateserial -out ./<server name>.crt -days 10000 -sha256 -extfile ./<server name>.ext

    The CA's passphrase is requested to validate the certificate signature.

    Certificate request self-signature ok
subject=C=FR, ST=ile de france, L=Paris, O=avatar, OU=avatar, CN=<server name>
Enter pass phrase for ../CA/avatarCA.key:
    • <server name>.key => The private key of the subdomain certificate.
    • <server name>.csr => Certificate signature request.
    • <server name>.crt => Subdomain certificate in crt format.
    • <server name>.ext => Subdomain configuration file.

Certificate generation is now complete. You can now return to follow the next steps of the client installation.



Back to Windows client installation - HTTPS certificate

Back to linux client installation - HTTPS certificate

Back to macOS client installation - HTTPS certificate