This tutorial briefly covers the creating and trusting your own certificate authority (CA) for issuing self-signed SSL certificates, and is designed to work with OribitDB’s new REST API HTTP/2 push services.
This tutorial is aimed at Unix-based systems, in particular Ubuntu and other Debian-based Linux distributions so you will need to modify the commands for your own platform. All code examples are intended to be copied and pasted directly to the command line and will generate certificates in your current working directory.
To get started, we are going to create a root certificate which we will use to sign additional SSL certificates with.
First, create your root CA private key:
openssl genrsa -des3 -out rootSSL.key 2048
Generating RSA private key, 2048 bit long modulus ………………+++ ………………………………………………………………………+++ e is 65537 (0x010001) Enter pass phrase for rootSSL.key:
You will be prompted for a password. Be sure to specify one that is long enough as you may encounter errors if your password is too short.
Next, use your CA private key to create a root certificate:
openssl req -x509 -new -nodes -key rootSSL.key -sha256 -days 1024 -out rootSSL.pem
Once launched, you will need to re-enter the password you assigned to your private key:
Enter pass phrase for rootSSL.key:
If successful, provide information about your certificate:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]:WA Locality Name (eg, city) : Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) : Common Name (e.g. server FQDN or YOUR name) :localhost Email Address :
You are now ready to install the new CA certificate into your CA trust store. The following commands will copy the root certificate into Ubuntu’s CA store so you may need to modify the paths if you are on a different distribution or OS platform:
sudo mkdir /usr/local/share/ca-certificates/extra sudo cp rootSSL.pem \/usr/local/share/ca-certificates/extra/rootSSL.crt sudo update-ca-certificates
Now it is time to generate a certificate for your development environment. Create a private key for your new certificate:
openssl req \ -new -sha256 -nodes \ -out localhost.csr \ -newkey rsa:2048 -keyout localhost.key \ -subj "/C=AU/ST=WA/L=City/O=Organization/OU=OrganizationUnit/CN=localhost/emailAddressemail@example.com"
Next, create the certificate, signing it with your Root CA:
openssl x509 \ -req \ -in localhost.csr \ -CA rootSSL.pem -CAkey rootSSL.key -CAcreateserial \ -out localhost.crt \ -days 500 \ -sha256 \ -extfile <(echo " \ [ v3_ca ]\n \ authorityKeyIdentifier=keyid,issuer\n \ basicConstraints=CA:FALSE\n \ keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\n \ subjectAltName=DNS:localhost \ ")
Your SSL certificate is now ready for use. To use it with OrbitDB’s REST API, launch the cli.js script with the flags –https-key and –https-cert, using the new localhost.key and localhost.crt files we just created:
node src/cli.js api --ipfs-host localhost --orbitdb-dir ./orbitdb --https-cert ./localhost.crt --https-key ./localhost.key
The certificates should validate against your Root CA when used with tools such as curl:
curl -vs --http2 -X POST https://localhost:3000/db/my-feed --data 'create=true' --data 'type=feed'
successfully set certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs ... SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 ALPN, server accepted to use h2 Server certificate: subject: C=AU; ST=WA; L=Ellenbrook; O=Organization; OU=OrganizationUnit; CN=localhost; emailAddressfirstname.lastname@example.org start date: May 25 14:56:35 2019 GMT expire date: Oct 6 14:56:35 2020 GMT common name: localhost (matched) issuer: C=AU; ST=WA; L=Ellenbrook; O=Internet Widgits Pty Ltd; CN=Local Certificate SSL certificate verify ok.
In the above, you can see the CA being loaded from the correct location (/etc/ssl/certs) and details about the certificate (Server certificate:).
You can now successfully run the new OrbitDB HTTP API with self-signed certificates on your development environment.
How to get HTTPS working in localhost development environment, secureend.com, https://reactpaths.com/how-to-get-https-working-in-localhost-development-environment-f17de34af046