==== How to create your own CA root certificate ====

\\
**Self-signed certificates are pretty bad overall**, even worse when served **over the internet**.
You can't easily tell if the certificate you are about to **exceptionally trust**, is yours, or **faked by your gov or ISP**.\\
\\
So, how do you solve this?. By creating your **own CA certificate** and importing it either on your system, or on your Firefox Independent CAcert list.\\
\\
This will turn a **self-signed** tls warning into a **shining green lock**, which will ensure the connection to your server is **not tampered**. In case it gets tampered, a warning will appear on your browser and you will **easily notice someone is modifying** your tls handshake.\\
\\
**Why not using** a let's encrypt certificate? Well, **there is cases** where the service you want to **expose on the internet is merely private** (ex: a nextcloud, music server, documentation) and there is **not a public domain name** pointing to your server, just a **local DNS server** or custom **/etc/hosts** entry.\\
\\
After some background on why/when using **your own CAcert** is needed, **let's get started !!**\\

\\
==== Create your CA root certificate =====
\\
First, we need to **create our CA signing key** (used to create signed certificates by US)\\
**Please use a strong key!!**
<code bash>openssl genrsa -aes256 -out AGUAKTECH.key 4096</code>

**Create pem** (crt) file for your CAcert (**valid for 10 years**)
<code bash>openssl req -x509 -new -nodes -key AGUAKTECH.key -sha256 -days 3650 -out AGUAKTECH.pem</code>

\\
==== Create a self-signed certificate for your application ====
\\
Generate a **new private key** for our server/domain
<code bash>openssl genrsa -out yourdomain.com.key 4096</code>

Generete a **san.cnf signing request** and configure your domain information
<file bash yourdomain.com.san.cnf>
[ req ]
default_bits = 4096
prompt = no
encrypy_key = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext

[ dn ]
# you can choose to use a wildcard or not
#CN = *.yourdomain.com
CN = yourdomain.com
O = Your Domain
OU = Your Domain
L = Los Angeles
ST = California
C = EU

[ req_ext ]
subjectAltName = DNS: *.yourdomain.com, DNS: yourdomain.com
</file>

Now create a **CSR (signing request)** from the san.cnf config file created
<code bash>
openssl req -new -config yourdomain.com.san.cnf -nodes -key yourdomain.com.key -out
yourdomain.com.csr
</code>

\\
==== Sign your CSR with your CAcert key =====
\\
Given the **csr generated by the issuer** (us), **sign the certificate** to generate a crt file
<code bash>
# Expiration time
# paranoid: 1 year max
# normal: 2-3 years
# stupid: 10 years
openssl x509 -req -in yourdomain.com.csr -CA AGUAKTECH.pem -CAkey AGUAKTECH.key -CAcreateserial
-out yourdomain.com.crt -days 365 -sha256
</code>

\\
==== Install the generated certificate =====
\\
**Certificate installation** steps on firefox:
    - Upload the **yourdomain.com.crt** file on some http server (optional)
    - **Browse** the http resource or do it locally using the **<nowiki>file:///path/to/yourdomain.com.crt</nowiki>**
    - **Check both** trust CA for internet and email. **Enjoy!**

**Certificate installation** steps on a Debian-based Linux system (Optional)
<code bash>
# copy the .pem file to a .crt file in the appropiate path
cp AGUAKTECH.pem /usr/local/share/ca-certificates/
# update system certificates automatically
update-ca-certificates
</code>

\\
==== Things to consider on Reverse Proxies =====
    * **Nginx and Apache** let you specify both the **.crt and the .key** file in **different directives**.\\
    * **HAProxy** uses a packed .pem file which **contains the .crt and .key** file all in one (**cat yourdomain.com.crt yourdomain.com.key > yourdomain.com.pem**)