Self Signed certificate for NPM

Misc

To bypass Bad Certificate prompt, just type on keyboard "thisisunsafe" and press enter.


If you are using something like Nginx or Nginx Proxy Manager for your local websites you can easily generate self signed certificate and deploy it on your computers, so it will stop asking telling you the certificate is wrong.

#!/bin/bash
# CA Authority custom values:
CA_NAME="self.certificate" # Use your own domain name
CA_COUNTRY_Code="GB"
ca_stateOrProvinceName=England
ca_localityName="Yorkshire"
ca_orgUnitName="IT"
ca_comp_Name="Home Industry SelfSigned"

# your own values for certificate
NAME="vm.com" # Use your own domain name
COUNTRY_Code="GB"
stateOrProvinceName=England
localityName="Yorkshire"
organizationalUnitName="IT"
csr_email="myemail@$NAME"
company_Name="Adventures"

# Also edit Suj Alt names for the certificate down 2x

# folders
ca_dir='myca'
cert_dir="${NAME}_certs"
mkdir $ca_dir $cert_dir

# Check if CA certificate and key files exist
if [ ! -f "$ca_dir/ca_cert.pem" ] || [ ! -f "$ca_dir/ca_key.pem" ]; then
    echo "CA certificate or key file not found. Creating new CA"
    # Generate CA-Private Key
    openssl genrsa 2048 > "$ca_dir/ca-key.pem"
    
    # Generate CA certificate     
    openssl req -new -x509 -nodes -days 365000 \
        -key "$ca_dir/ca-key.pem" \
        -out "$ca_dir/ca-cert.pem" \
        -subj "/C=$CA_COUNTRY_Code/ST=$ca_stateOrProvinceName/L=$ca_localityName/O=$ca_comp_Name/OU=$ca_orgUnitName/CN=$CA_NAME"
fi

# Server Key and request
openssl req -newkey rsa:2048 -nodes -days 365000 \
   -keyout "$cert_dir/server-key.pem" \
   -out "$cert_dir/server-req.pem" \
   -subj "/C=$COUNTRY_Code/ST=$stateOrProvinceName/L=$localityName/O=$company_Name/OU=$organizationalUnitName/CN=$NAME/emailAddress=$csr_email" \
   -config <(cat <<-EOF
[req]
req_extensions = v3_req

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.${NAME}
DNS.2 = piserver.local
IP.1 = 127.0.0.1
IP.2 = 10.100.112.254
EOF
)

# Generate X509 Certificate for the server
openssl x509 -req -days 365000 -set_serial 01 \
   -in "$cert_dir/server-req.pem" \
   -out "$cert_dir/server-cert.pem" \
   -CA "$ca_dir/ca-cert.pem" \
   -CAkey "$ca_dir/ca-key.pem" \
   -extfile <(echo "subjectAltName = DNS:*.${NAME}, DNS:piserver.local, IP:127.0.0.1, IP:10.100.112.254")
# Testing certs:
openssl verify -CAfile "$ca_dir/ca-cert.pem" \
   "$ca_dir/ca-cert.pem" \
   "$cert_dir/server-cert.pem"

# To add them to the CA approved list in linux:
# sudo cp ca-cert.pem /usr/local/share/ca-certificates/ca-cert001.crt
# sudo update-ca-certificates

Now just use the server.key file for as Key part and server.crt as Certificate.
To make it recognized on your computer, on Windows just doubleclick the certificate and Install it as Root Authority for Computer ( if you know you have access to admin account)
Alternatively you can use command line to add the certificate on Windows:

certutil -addstore -enterprise Root server.crt


You should also import this certificate to your web browser, usually you can search in settings of web browser for Cert, and there you will have option to import it as Root Authority.
Than just close the web browser and when you reopen it, now the website should be *secure.

For Linux you can import the certificate with command:

# Debian and Ubuntu:
sudo mkdir /usr/local/share/ca-certificates/extra
sudo cp server.crt /usr/local/share/ca-certificates/extra/root.cert.crt
sudo update-ca-certificates

# Fedora
sudo cp server.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

Self Signed certificate may still not work on Mozila Firefox, for that you would need to disable the check
- on new tab go to:
   about:config
- here search for:
   

network.stricttransportsecurity.preloadlist


- it will be probably set to "true", you need to change it to "false" and restart the Mozila Browser for it to take effect.