Generating SSL Certificate for Episode archive🔗

Self-signed SSL certificates for the Episode archive service can be created with the OpenSSL application.

Install the OpenSSL v1.1.1n Light distribution package, which corresponds to the bitness of the operating system used.

Generation on Windows OS🔗

The steps below are a sequence of commands that should be executed on the command line.

  1. Add the OpenSSL folder to the PATH environment variable.

    For Win64 OpenSSL use:

    path=%path%C:\Program Files\OpenSSL-Win64\bin\;
    

    For Win32 OpenSSL use:

    path=%path%C:\Program Files\OpenSSL-Win32\bin\;
    
  2. Create a directory that will contain the generated certificates. On the command line, navigate to the created directory.

  3. Create the root certificate private key file:

    openssl genrsa -out rootCertKeyName.key 2048
    
  4. Create the root certificate:

    openssl req -x509 -new -key rootCertKeyName.key -days 10000 -out rootCertName.crt
    

    Note

    The command will prompt for the certificate details.

  5. Create the service private key:

    openssl genrsa -out serviceCertKeyName.key 2048
    
  6. Create the Certificate Signing Request (CSR):

    openssl req -new -key serviceCertKeyName.key -out serviceCertRequestName.csr
    

    Note

    The command will prompt for the certificate details.

    An important point is to fill in information about the Common Name (e.g. server FQDN or YOUR name). Common Name is the string that will be displayed in the certificate signer information. If this field is left blank, the result will be an empty string.

  7. Create the service certificate by signing the CSR with the root certificate:

    openssl x509 -req -in serviceCertRequestName.csr -CA rootCertName.crt -CAkey rootCertKeyName.key -CAcreateserial -out serviceCertName.crt -days 5000
    
  8. Export the certificate and private key into a single file:

    openssl pkcs12 -export -out *serviceCertFileName*.pfx -inkey *serviceCertKeyName*.key -in *serviceCertName*.crt -certfile *rootCertName*.crt
    

Note

Created .pfx files should be transferred to the server running the Episode archive service and added to the Episode archive service configuration.

The root certificate *rootCertName*.crt must be imported into the operating system on all servers that will work with the Episode archive service.

Generation on Linux OS🔗

  1. Run a terminal.

  2. Create a directory that will contain the generated certificates. On the command line, navigate to the created directory.

  3. Create the root certificate private key file:

    openssl genrsa -out rootCertKeyName.key 2048
    
  4. Create the root certificate:

    openssl req -x509 -new -key rootCertKeyName.key -days 10000 -out rootCertName.crt
    

    Note

    The command will prompt for the certificate details.

  5. Create the service private key:

    openssl genrsa -out serviceCertKeyName.key 2048
    
  6. Create the Certificate Signing Request (CSR):

    openssl req -new -key serviceCertKeyName.key -out serviceCertRequestName.csr
    

    Note

    The command will prompt for the certificate details.

    An important point is to fill in information about the Common Name (e.g. server FQDN or YOUR name). Common Name is the string that will be displayed in the certificate signer information. If this field is left blank, the result will be an empty string.

  7. Create the service certificate by signing the CSR with the root certificate:

    openssl x509 -req -in serviceCertRequestName.csr -CA rootCertName.crt -CAkey rootCertKeyName.key -CAcreateserial -out serviceCertName.crt -days 5000
    
  8. Export the certificate and private key into a single file.

    openssl pkcs12 -export -out *serviceCertFileName*.pfx -inkey *serviceCertKeyName*.key -in *serviceCertName*.crt -certfile *rootCertName*.crt
    
  9. Import the certificate.

Ubuntu and Debian🔗

Copy the root certificate to the certificates’ directory:

sudo cp *rootCertName*.crt /usr/local/share/ca-certificates/*rootCertName*.crt

Update the certificates list:
sudo update-ca-certificates