How to correctly create a self-signed certificate for a local IP and make it trust?

S

syxoi2021-05-07 02:05:39

Apache HTTP Server

syxoi, 2021-05-07 02:05:39

Hello!
I generated the certificate like this:

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/apache2/ssl/mycert.key -out /etc/apache2/ssl/mycert.crt

When creating the certificate, the common name also specified 172.25.25.20:

Common Name (eg server FQDN or YOUR name) []:172.25.25.20

And I wrote the following in /etc/apache2/sites-enabled/default-ssl.conf:

ServerName 172.25.25.20
SSLCertificateFile /etc/apache2/ssl/mycert.crt
SSLCertificateKeyFile /etc/apache2/ssl/mycert.key
SSLEngine on

All the necessary modules for ssl support, of course, included.

Then, I added a certificate to Chrome, but when I try to access the site, I get an error:

So, how to correctly make a self-signed certificate for the local network (without a domain, the site is an IP address) and make both browsers and Android devices trust it?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

A

Alexander Karabanov, 2021-05-07
@karabanov

All the same, use a domain, not IP (you can not register a domain and just register the corresponding entry in hosts, you can raise your DNS - this is a more preferable option, you can register a free domain on freenom.com ).
Make the certificate trusted on all devices.
You can also consider using certificates from Let's Encrypt .
PS
It may also be possible to add DNS records in the router, then you can use the router's DNS ...

A

AUser0, 2021-05-07
@AUser0

Click the "Advanced" button and there will be a link "Go to 172.25.25.20", or something similar...

C

CityCat4, 2021-05-07
@CityCat4

The only way to make a self-signed certificate trust is by placing it in the trusted certificate store. On every device that needs trust.
Yes, LE was not invented in vain :)