In this issue of the Katkay Dev Weekly Newsletter we will show how to correctly generate TLS certificates for your Unix, Linux, macOS or Microsoft IIS servers that will be used in conjunction with iOS, iPadOS, macOS, tvOS or watchOS devices.
In order to be able to make secure connections from Apple devices to your server, the first thing you need is to correctly generate the TLS certificates and install them correctly on your servers. These certificates need to be generated in a specific way, or it will not work. Specially if they are Microsoft IIS servers.
This is how you generate self-signed certificates from macOS:
- Open macOS’s terminal.
- Make sure you have openssl installed on your mac.
- Type the following on terminal from the current directory you are working and press ENTER, to copy the default openssl’s configuration file to the directory you are currently using on terminal. You are about to modify this file suit your server details:
- Edit openssl.conf, to something like that:
- Type the following on terminal and press ENTER to generate the private key:
openssl genrsa -des3 -out private.key 4096
- To generate the Certificate Authority Request, type the following on terminal and press ENTER:
123456789101112131415openssl req \-newkey rsa:4096 \-x509 \-nodes \-keyout private.key \-new \-out myServerCA.crt \-subj /CN=**YOUR-MAIN-SERVER-ADDRESS** \-reqexts SAN \-extensions SAN \-config <(cat ./openssl.cnf \<(printf '[SAN]\nsubjectAltName=DNS:**YOUR-MAIN-SERVER-ADDRESS**')) \-sha256 \-days 825 \-extensions 'req_ext'</code></p></li>
days 825 is required if you are using self-signed certificates. Apple devices will not work with self-signed certificates with expiring dates bigger than 825 days.
- Now that you have the certificate authority request created, you can create the binary TLS certificate. Type the following on terminal and press ENTER:
openssl pkcs12 -export -out myTLS.p12 -inkey private.key -in myServerCA.crt
cp /etc/ssl/openssl.cnf .
[ req ]
default_md = sha256
distinguished_name = req_distinguished_name
attributes = req_attributes
req_extensions = req_ext
[ req_distinguished_name ]
countryName = **YOUR-COUNTRY-2-DIGIT-LETTER**
countryName_min = 2
countryName_max = 2
stateOrProvinceName = **YOUR-CITY**
localityName = **YOUR-CITY**
0.organizationName = **YOUR-ORGANIZATION-NAME**
organizationalUnitName = **THE-DEPARTMENT-INSIDE-YOUR-COMPANY**
commonName = **YOUR-SERVER-ADDRESS**
commonName_max = 64
emailAddress = **YOUR-EMAIL**
emailAddress_max = 64
[ req_attributes ]
challengePassword = password
challengePassword_min = 4
challengePassword_max = 20
[ req_ext ]
subjectAltName = @alt_names
extendedKeyUsage = serverAuth
DNS.1 = **YOUR-SERVER-ADDRESS-1**
DNS.2 = **YOUR-SERVER-ADDRESS-2**
Fill all fields with **. Do not change the other fields.
**YOUR-SERVER-ADDRESS** can be any domain or subdomain on the web or your intranet, for example, example.com or server.myserver.local. br> **YOUR-SERVER-ADDRESS-1** is the same as **YOUR-SERVER-ADDRESS**. We recommend to make **YOUR-SERVER-ADDRESS-2** equal to your domain without the subdomain. If you have more alternative domains, add more lines like DNS.3, DNS.4, etc.
Once you have the configuration file correct, lets generate the private key for the TLS certificate.
All you need to know if you want to sponsorship this newsletter, in the following link.