Create and deploy internally trusted SSL certificate for local networks

Create trusted SSL sites on the local network. For example: [1](https://clusterman.cifarelli.loc/)

Generate the CA key. Add a password that will be required for each certificate signing. Keep the files in a secure location as they will be used to generate certificates

openssl genrsa -des3 -out cifarelliCA.key 4096

Generate a CA certificate for deployment on clients

openssl req -x509 -new -nodes -key cifarelliCA.key -sha256 -days 3650 -out cifarelliCA.crt

See the new version below
Generate key: `openssl genrsa -out clusterman.key 2048` Generate certificate signing request: `openssl req -new -key clusterman.key -out clusterman.csr` Sign the certificate with the CA key and certificate `openssl x509 -req -in clusterman.csr -CA cifarelliCA.crt -CAkey cifarelliCA.key -CAcreateserial -out clusterman.crt -days 3650 -sha256`

This can be done via GPO.
Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies, right-click Trusted Root Certification Authorities and select Import

Only the .pfx file containing CA, key, and certificate can be imported. To generate it: `openssl pkcs12 -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac -export -out cifarelli.loc.pfx -inkey cifa.key -in cifa.crt --certfile cifarelliCA.crt` The options `-certpbe`, `-keypbe`, and `-nomac` are added for compatibility with older Windows systems. Otherwise, they are not needed.

Certificates issued as above are no longer accepted by browsers. Starting from more recent versions, it is necessary that the DN be included in the **alternative names**.
You need to set up a configuration file

``` [req] distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no

[req_distinguished_name] C = IT ST = Lombardy L = Pavia O = CIFARELLI Spa OU = IT labs CN = cifarelli.loc

[v3_req] keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = critical, serverAuth subjectAltName = @alt_names subjectAltName = @alt_names

[req_ext] subjectAltName = @alt_names

[alt_names] DNS.1 = *.cifarelli.loc ```

Here are the next steps collected in a bash script *genera.sh*:

```

1. !/bin/bash
2. Create private key

openssl genrsa -out ${1}.key 2048

1. Create CSR

openssl req -new -key ${1}.key -out ${1}.csr -config ./req.conf

1. Sign and release final certificate

openssl x509 -req -in ${1}.csr -CA ./cifarelliCA.crt -CAkey ./cifarelliCA.key -CAcreateserial -extfile ./req.conf -extensions v3_req -out ${1}.crt -days 3650 -sha256 ```

By running the following command:

`./genera.sh certificatename`

you will generate `certificatename.key` `certificatename.csr` `certificatename.crt`