Do you need SSL, TLS, or HTTPS? Why might you use self-signed certificates? Are there risks, that you need to consider? How do I get started testing quickly?
Self-signed certificates are SSL certificates, just as you see on HTTPS websites. However, self-signed certs are not verified by Certificate Authorites (CAs).
Usually, CAs will verify that you own a website domain, your website's name. They won't secure your LAN Minecraft server. They won't verify a certificate for your local IP. You'll want to use a self-signed certificate; it works for localhost servers, LAN (or intranet) servers, and anywhere that accepts your master key.
Circumstances SSL may be required?
• Add TSL/SSL to simple servers for web apps (SPA, PWA) or highly interactive web pages.
• Add HTTPS to use other HTTPS website content (without mixed content errors).
• Protecting your users' data from attacks (MITM, ISP).
— HTTPS opens up MediaDevices (Camera, Microphone) & Secure WebSockets (Streaming). —
What do I need to make my own SSL certificates?
Simple tools for certs on macOS & linux (see Windows).
🧮. http-server (simple testing server) 🖤. openssl (create, edit certificate) 🗞. makecert (all-in-one tool)
Your first self-signed certificate.
openssl genrsa -out server-side.key 2048 openssl req -new -out server-side.req -key server-side.key -subj /CN=192.168.0.3 openssl x509 -req -sha256 -days 365 -in server-side.req -signkey server-side.key -out server-side.crt
How does it work?
These commands create two files, then use them to create a final file. This is your certificate!
The first command gives you a personal signature. The second makes a written request for a certificate, with the name of the server you would like to be certified.
The final command takes your first two files, and adds them together.
It signs your request with yout signature, becoming a verified certificate.
WARN: This cert is not verified by any official Certificate Authorites
How do I use my certificate and these files?
You'll need 2 of your 3 files, your RSA key
and the server's certificate
these you can give your server program to enable HTTPS (apache, nginx, http-server, iis).
openssl is a utility. If you don't have it on your system,
you can download it through your package manager (brew install, apt-get, etc.).
genrsa is the command. You can use
but the point is to create a private key to use when creating our certificate.
-out is an option. The
-out option specifies the
name of the file to output. We call ours:
What's 2048? This is your key length. 2048 is the minimum requirement for many browsers.
openssl req creates a certificate request. You use it to
create your official certificate.
-subj is an option.
It gives the "subject" datapoint for our certificate request.
"CN=192.168.0.3" is a CN pointing to our LAN IP address. You can use
a domain name, LAN IP, or public IP!
What is "CN"? It's an acronym for Common Name. You can use it to identify the name of the server this certificate if for. A subject line can be much longer, but it works best using the acronyms defined in the X.500/LDAP protocol. (C is country code, S is state name, E is full email)
openssl x509 creates a certificate based on the X.509 protocol.
-sha256 is an option forcing the hash algorithym SHA 256 to be used.
This can help protect your app, many browsers don't accept weak SHAs.
-days 365, -days is an option. This is how long your certificate
will be valid from today. You can set the days for much longer, but more browsers
won't accept your certificate.
-in & -signkey these options specify which request and key are going
to be used to create your certificate!
Ask questions to relations for vsadx.com