How to use self-signed certificates?
- If you want to use https in your local dev setup and you don't want to generate public certificates with Let'sEncrypt or something similar.
- NEVER use self-signed certificates in production unless you absolutely know what you are doing!
How it works
Entities you should be aware of:
- private CA - a private certificate authority that can generate TLS certificates. Since this is not a publicly recognized CA, its certificates will not be respected by (almost) anyone - but you can teach OPAL to respect that CA's certificates.
- localserver - a local program running with https:// signed with a certificate that was generated by the "private" CA.
- opal-client - can be directed to fetch data from localserver, can be told to respect the private CA's certificates
How to generate self-signed certificates
- Generate a private key for the "private" CA
openssl genrsa -des3 -out ca-private-key.key 2048
- Generate a public key / certificate for the "private" CA
openssl req -x509 -new -nodes -key ca-private-key.key -sha256 -days 365 -out ca-public.crt
- Generate a private key for the "localserver" service
openssl genrsa -out localserver-private.key 2048
- Generate a certificate request signed by the "localserver" private key.
NOTE: you must specify the FQDN to be the host of the (self-signed) https service, e.g:
openssl req -new -key localserver-private.key -out localserver-request.csr
- Your "private" CA self-signs on the certificate request and generates a valid self-signed certificate
openssl x509 -req -in localserver-request.csr -CA ca-public.crt -CAkey ca-private-key.key -CAcreateserial -out localserver-cert.crt -days 365 -sha256
configuring a uvicorn service to use the private certificate as the HTTPs certificate
uvicorn myservice.main:app --reload --port=8000 --ssl-keyfile=localserver-private.key --ssl-certfile=localserver-cert.crt
Configuring a data entry (via
OPAL_DATA_CONFIG_SOURCES) to redirect to the self-signed https service
Run OPAL server with:
Teaching the opal-client to respect the self signed certificate
Run OPAL client with:
If you run OPAL client with docker - don't forget to mount /path/to/ca-public.crt on a docker volume.