From b64cd856606cef7ed505514448dcb0f68fdeef74 Mon Sep 17 00:00:00 2001 From: "Steinar H. Gunderson" Date: Sun, 15 Nov 2020 10:32:34 +0100 Subject: [PATCH] Update certificate generation. --- README | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/README b/README index 0bd73f4..3541e8f 100644 --- a/README +++ b/README @@ -7,14 +7,28 @@ I don't know Rust. To build, you'll need a bazillion Rust crates, because who can serve HTTPS and talk to a smartcard reader without 105 dependencies. Generate a self-signed -certificate (make sure the common name says 127.0.0.1 when asked): +certificate: - openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 3650 -nodes + openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 3650 -nodes -subj "/C=NO/CN=localhost CA for multipass" openssl rsa -in key.pem > cert.rsa -Install the certificate in your browser; I didn't have any luck with Chrome -(it's possible you'll need to go through a self-signed CA), but it worked fine -in Firefox. +If you want it to work in Chrome, you'll actually need to go via a CA, so slightly +more involved: + + openssl req -x509 -newkey rsa:4096 -keyout CA-key.pem -out CA-cert.pem -days 3650 -nodes -subj "/C=NO/CN=localhost CA for multipass" + openssl req -newkey rsa:4096 -keyout key.pem -out server-cert.csr -days 3650 -nodes -subj "/C=NO/CN=127.0.0.1" -addext "subjectAltName = IP.1:127.0.0.1" + cat <extensions.conf +[v3_ca] +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment +subjectAltName = IP.1:127.0.0.1 +EOF + openssl x509 -req -days 3650 -in server-cert.csr -CA CA-cert.pem -CAkey CA-key.pem -CAcreateserial -out cert.pem -extensions v3_ca -extfile extensions.conf + openssl rsa -in key.pem > cert.rsa + +Install the certificate (or CA certificate) in your browser. You'll also need +to spoof the User-Agent to say Windows, or Buypass will complain about the +lack of Java. Build and run: -- 2.39.2