Self-Signed Certificates
Self-signed certificates are useful for development, testing, or internal deployments where you don’t need public certificate authority validation. While not recommended for production internet-facing deployments, they provide encryption and can be quickly generated without external dependencies.
Prerequisites
Section titled “Prerequisites”Ensure you have OpenSSL installed on your system:
# RHEL/CentOS/Fedorasudo dnf install openssl
# Ubuntu/Debiansudo apt-get install openssl
# Verify installationopenssl versionGenerate Private Key
Section titled “Generate Private Key”Create a 2048-bit RSA private key:
openssl genrsa -out yourdomain.com.key 2048Create Certificate Signing Request (CSR)
Section titled “Create Certificate Signing Request (CSR)”Generate a Certificate Signing Request with your organization details:
openssl req -new -sha256 -key yourdomain.com.key \ -subj "/C=NL/ST=Noord Holland/L=Amsterdam/O=Your Organization/OU=IT Department/CN=yourdomain.com/emailAddress=admin@yourdomain.com" \ -out yourdomain.com.csrCSR Parameters Explanation
Section titled “CSR Parameters Explanation”C=NL- Country (2-letter code)ST=Noord Holland- State or ProvinceL=Amsterdam- City or LocalityO=Your Organization- Organization nameOU=IT Department- Organizational UnitCN=yourdomain.com- Common Name (your domain)emailAddress=admin@yourdomain.com- Contact email
Create Certificate Configuration File
Section titled “Create Certificate Configuration File”Create a configuration file to include Subject Alternative Names (SAN) for wildcard support:
cat > yourdomain.com.conf << EOF[req]distinguished_name = req_distinguished_namereq_extensions = v3_reqprompt = no
[req_distinguished_name]C = NLST = Noord HollandL = AmsterdamO = Your OrganizationOU = IT DepartmentCN = yourdomain.comemailAddress = admin@yourdomain.com
[v3_req]keyUsage = keyEncipherment, dataEnciphermentextendedKeyUsage = serverAuthsubjectAltName = @alt_names
[alt_names]DNS.1 = yourdomain.comDNS.2 = *.yourdomain.comEOFGenerate Self-Signed Certificate
Section titled “Generate Self-Signed Certificate”Create the self-signed certificate valid for 365 days:
openssl x509 -req -in yourdomain.com.csr \ -signkey yourdomain.com.key \ -out yourdomain.com.crt \ -days 365 \ -extensions v3_req \ -extfile yourdomain.com.confAlternative: Generate Key and Certificate in One Step
Section titled “Alternative: Generate Key and Certificate in One Step”You can also generate both the key and certificate simultaneously:
openssl req -x509 -newkey rsa:2048 -keyout yourdomain.com.key -out yourdomain.com.crt \ -days 365 -nodes \ -config yourdomain.com.confThe -nodes option creates an unencrypted private key (no passphrase required).
Combine Certificate Files
Section titled “Combine Certificate Files”Surfly requires the private key and certificate to be combined in a single PEM file:
cat yourdomain.com.key yourdomain.com.crt > yourdomain.com.pemVerify Combined Certificate
Section titled “Verify Combined Certificate”Check that the combined file contains both the private key and certificate:
# Should show "RSA PRIVATE KEY"grep -A 1 "BEGIN RSA PRIVATE KEY" yourdomain.com.pem
# Should show "CERTIFICATE"grep -A 1 "BEGIN CERTIFICATE" yourdomain.com.pemInstall Certificate
Section titled “Install Certificate”Copy the certificate to your Surfly installation directory:
# Create certificates directory if it doesn't existmkdir -p ~/surfly/certs/
# Copy the combined certificatecp yourdomain.com.pem ~/surfly/certs/
# Set appropriate permissionschmod 600 ~/surfly/certs/yourdomain.com.pemchown client:client ~/surfly/certs/yourdomain.com.pemSet Up Certificate Authority (Optional)
Section titled “Set Up Certificate Authority (Optional)”For better browser compatibility in development environments, you can create your own Certificate Authority and install it as trusted:
Create CA Private Key
Section titled “Create CA Private Key”openssl genrsa -out ca.key 4096Create CA Certificate
Section titled “Create CA Certificate”openssl req -x509 -new -nodes -key ca.key -days 3650 -out ca.crt \ -subj "/C=NL/ST=Noord Holland/L=Amsterdam/O=Your Organization CA/CN=Your Organization Root CA"Sign Your Certificate with CA
Section titled “Sign Your Certificate with CA”openssl x509 -req -in yourdomain.com.csr -CA ca.crt -CAkey ca.key \ -CAcreateserial -out yourdomain.com.crt -days 365 \ -extensions v3_req -extfile yourdomain.com.confInstall CA in System Trust Store
Section titled “Install CA in System Trust Store”Copy your root CA certificate to the Surfly trust directory:
mkdir -p ~/surfly/ca_trust/cp ca.crt ~/surfly/ca_trust/Verify Certificate
Section titled “Verify Certificate”Check your certificate details:
# View certificate informationopenssl x509 -in yourdomain.com.crt -text -noout
# Verify certificate against private keyopenssl x509 -noout -modulus -in yourdomain.com.crt | openssl md5openssl rsa -noout -modulus -in yourdomain.com.key | openssl md5Both commands should return the same hash value, confirming the certificate matches the private key.
Browser Configuration
Section titled “Browser Configuration”To avoid security warnings during development, you can add your self-signed certificate to your browser’s trusted certificates:
Chrome/Chromium
Section titled “Chrome/Chromium”- Go to
chrome://settings/certificates - Click “Authorities” tab
- Click “Import” and select your
ca.crtfile (if you created a CA) - Check “Trust this certificate for identifying websites”
Firefox
Section titled “Firefox”- Go to
about:preferences#privacy - Scroll to “Certificates” and click “View Certificates”
- Go to “Authorities” tab
- Click “Import” and select your
ca.crtfile
Security Considerations
Section titled “Security Considerations”Key Management
Section titled “Key Management”- Store private keys securely with restricted permissions (
chmod 600) - Use separate certificates for different environments
- Regularly rotate certificates (recommended: yearly)
Network Security
Section titled “Network Security”- Use self-signed certificates only on trusted networks
- Consider using VPN or network isolation for services with self-signed certificates
- Monitor certificate expiration dates