Running one's own root Certificate Authority in 2023

But, what if it’s just for internal services, some of them even cut off from the ‘Net? And more importantly, what if you don’t wish to be bothered with juggling the renewals every 3 months, or want that sweet wildcard x509 cert with minimum hassle?

Well then… how about the age-old solution of rolling out your own root CA? Ideally one that will be accepted without issue by major browsers, including the ones on iOS.

Way back when I was just a little bitty boy… we used to do this whole shindig with sign.sh -- Sign a SSL Certificate Request (CSR) script and a modicum of openssl genrsa, openssl req -new -x509, openssl req -new elbow grease.

Or so I thought, as I was running that thing with default_days = 3650 for the past many many years. And while that continues to work fine in Firefox on Linux to this day2, you’re bound to hit a brick wall when trying to use server certificates generated that way with Apple devices3.

Turns out4, Apple really doesn’t want you to use server certs that are valid for longer than 398 days5, along with a plethora of other restrictions. tldr: 2048bit+, SHA2 digest, CN ignored, altnames is king, keyusage=serverAuth.

Leave a Comment