Creating a CA for development, and signing SAN/UCC certificates

This post tasks about why I came up with If you want to dive straight into creating your own CA (and certificates), please dive straight into that project.

As time has passed, browsers have really turned their back on self-signed SSL certificates. This is perfectly understandable, of course: humans are probably the weakest link of the whole SSL system.

Originally, a browser would give a simple warning that the certificate was self-signed. These days, they take up a full-page splash before you're allowed to step through them. Even when you do, and in Chrome, the https:// recieves a nice red line through it to say "yes, this is https, but you're probably not as secure as you think".

Over time - I grew tired of this. Running Dokku allowed me to have which was almost like a dream come true. For security, I also wanted to run the projects over https. Storing an exception in your browser for is fine - but by the time I hit, my patience soon wore thin.

The question is: why didn't I just pipe down and buy a SSL certificate? Because they're not cheap when you want more than one wildcard. You can get them one wildcard for ~$50 (which I was happy to pay), but what I am not prepared to do is pay $50 for *, another $50 for * and so on. The point of a wildcard is so you don't need to buy more than one of them - so my use-case seemed to defeat their designated purpose.

Instead, I:

  1. Generated my own Certificate Authority (CA).
  2. Installed this CA in Firefox, Chrome, etc.
  3. Generate as many certificates as I liked, easily and conveniently.

In order to do this, I did a lot of research. I found that OpenSSL was not at all helpful when you wanted to generate a CA, nor when you wanted your CA to sign a certificate with many Subject Alternative Names (SANs). In fact - it was so unhelpful, it didn't even seem like it was possible to do it on the command-line. You had to manually edit openssl.cnf and inject the values there.

After much effort, and managing to figure out how to do it, I decided to wrap all of my commands is some really simple bash scripts dubbed FreeCA for everyone else to enjoy: Using this, it's a doddle to create the CA - and generate as many certificates you like, with each one containing as many SANs as you can shake a stick at.