💾 Archived View for thrig.me › tech › self-signed-certificate.gmi captured on 2023-03-20 at 18:36:24. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-01-29)
-=-=-=-=-=-=-
#!/bin/sh
openssl req -x509 -newkey rsa:4096 -sha256 -days 99999 -nodes \
-keyout host.key -out host.cert -subj "/CN=thrig.me" -addext \
"subjectAltName=DNS:thrig.me,IP:104.207.156.138,IP:2001:19f0:8001:143b:5400:4ff:fe1a:8ed6"
Important points here are a long delay for Gemini, provided you remember to backup the key and certificate somewhere. The subject and subjectAltName fields suit self-signed certificate use, though it may make more sense to create a certificate authority, have your software trust that authority, and then sign all your test certificates with your own certificate authority.
IP addresses that change a lot might be problematic for something like Gemini, in which case leave them out?
What exactly a self-signed certificate needs may change over time, the above is probably current around 2022 or so, and again depends on what the software you are using needs. Gemini does not need much while certain "heavyweight champion" software may need all sorts of fields set.
The -sha256 may need to change to use a large signature algorithm; certainly weaker flags like MD5 should not be used in this day and age.