Installing Local Certificate Authority for testing purposes.

I wanted to create a proxy from wss to ws connection. But I didn't want to touch my production environment.

So I created a local certificate authority on my local = private computer.

This is how I did this (Oracle Enterprise Linux = CentOS = RedHat - based)

(First start with a root login)

  • vi /etc/yum/repos.d/epel-yum-ol7.repo
[ol7_epel]
name=Oracle Linux $releasever EPEL ($basearch)
baseurl=http://yum.oracle.com/repo/OracleLinux/OL7/developer_EPEL/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
gpgcheck=1
enabled=1
  • yum repolist

  • yum -y install easy-rsa

Connect non-root-user

  • useradd myrsa

  • passwd myrsa

  • su - myrsa

(add user to sudoers)

  • mkdir ~/easy-rsa

  • ln -s /usr/share/easy-rsa/3/* ~/easy-rsa/

  • chmod 700 ~/easy-rsa

  • cd ~/easy-rsa
    *./easyrsa init-pki

  • vi vars

set_var EASYRSA_REQ_COUNTRY    "NL"
set_var EASYRSA_REQ_PROVINCE   "MyProv"
set_var EASYRSA_REQ_CITY       "MyCity"
set_var EASYRSA_REQ_ORG        "MyOrg"
set_var EASYRSA_REQ_EMAIL      "admin@localhost"
set_var EASYRSA_REQ_OU         "Community"
set_var EASYRSA_ALGO           "ec"
set_var EASYRSA_DIGEST         "sha512"
  • ./easyrsa build-ca nopass
. . .
Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
. . .
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
~/easy-rsa/pki/ca.crt
  • cat ~/easy-rsa/pki/ca.crt

Other Server : WebServer (or the same system : in my case the same system )

  • vi /tmp/ca.crt
    pate data from the ca.crt you created earlier

  • sudo cp /tmp/ca.crt /etc/pki/ca-trust/source/anchors/

  • sudo update-ca-trust

Make private key

  • openssl genrsa -out webserver.key

Certificate SIGNING request : CSR

  • openssl req -new -key webserver.key -out webserver.req

Verify:

  • openssl req -in webserver.req -noout -subject

  • cat webserver.req
    -----BEGIN CERTIFICATE REQUEST-----
    ....

Transport this certificate to the ca-server

  • vi /tmp/webserver.req
    paste - webserver.req from other server
  • cd ~/easy-rsa
  • ./easyrsa import-req /tmp/webserver.req webserver
  • ./easyrsa sign-req server webserver
    Enter: Yes

Certificate created at: .../webserver.crt

  • cat ~/easy-rsa/pki/issued/webserver.crt

-----BEGIN CERTIFICATE-----

Take this certifcate to the webserver

  • vi /tmp/webserver_ca.crt
    Paste certificate

WebServer (root)

  • cp /tmp/webserver_ca.crt /etc/pki/tls/certs/webserver_ca.crt
  • cp webserver.key /etc/pki/tls/private/webserver.key
  • chmod 600 /etc/pki/tls/private/webserver.key
  • yum -y install httpd mod_ssl mod_dav_svn ssl proxy proxy_http proxy_html proxy_wstunne
  • vi /etc/httpd/conf.d/ssl.conf

SSLCertificateFile /etc/pki/tls/certs/webserver_ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/webserver.key
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

service httpd restart

Importing CA in Browser

In order for the client to trust the server it should also trust the CA that made the key.

Generate a key you can import in a browser:

  • cd /home/myrsa/easy-rsa
  • openssl pkcs12 -export -in pki/ca.crt -inkey pki/private/ca.key -out browser.pfx

Browser / Client

Client computer:
c> pscp root@ca_server:/home/myrsa/easy-rsa/browser.pfx Downloads

Add the name 'webserver' to your host-resolver:

C> notepad c:\windows\system32\drivers\etc\hosts
192.168.0.12 webserver

Open browser

  • chrome://settings/security?search=certificat
    Go to certificate management and import the PFX into the Trusted ROOT CERTIFICATES

You can now make a secure connection to the webserver:

https://webserver

Proxy Forward

  • vi /etc/httpd/conf.d/ssl.conf
    Add below in the file :

To make sure that all non-browser traffic goes to specific port I open up the 8567 port instead of 443

  <VirtualHost *:8567>
    
    SSLEngine On
    SSLCertificateFile /etc/pki/tls/certs/webserver_ca.crt
    SSLCertificateKeyFile /etc/pki/tls/private/webserver.key
    SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

     RewriteEngine On

    RewriteCond %{HTTP:Upgrade} =websocket [NC]
        # Port 3567 is where the docker is listening for
    RewriteRule ^/(.*)    ws://0.0.0.0:3567/$1 [P,L]

  </VirtualHost>

My docker is started like this:

  • docker run --name=col -h col --dns=8.8.8.8 -p 3567:3567 -v /home/root:/home/extern/ -t -d oel /bin/bash

Port forward trafic comming from 3567 is going inside the docker where colyseus is listening on 3567 as well.

Firewall is completely open on my private server.
This should never be done for global servers. But for global servers you really need a non-self-signed certificate.

You now have a secure connection to the server and it will proxy the stream to the docker. Inside the docker (colyseus-code) nothing has to be altered!