💾 Archived View for dressupgeekout.com › tips › create-certificate-howto.gmi captured on 2024-02-05 at 09:35:41. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-12-28)

-=-=-=-=-=-=-

HOWTO Create a certificate for hosting your own Gemini server

I am hosting gemini://dressupgeekout.com on my own computer (a Raspberry Pi running NetBSD). I happen to be using the Twins server software, but no matter what, the Gemini protocol requires that content be served with TLS (Transport Layer Security). That means you need to create your own certificate. Let me show you what I had to do.

We're going to use openssl(1). I learned that OpenSSL is very finicky about this first step: we need to give OpenSSL default values regarding certificate requests. So I've made a file `openssl.cnf` with some initial contents:

[req]
distinguished_name = Your Name

[Your Name]
C = US
ST = CA
L = Santa Cruz
CN = cooldomain.net
emailAddress = someone@myplace.com

I'm not entirely sure what's a good value for `distinguished_name` but I just used my real life first and last name. The point is, the title of the next section (denoted with brackets `[]`) has the same value.

Then you fill in some info. Most of it is optional. I think the only *absolutely* required field is CN ("Canonical Name"). What I've shown you isn't even every field you *could* fill in, but at least they're easy questions to answer:

• "C" stands for "country", you provide a 2-letter country code
• "ST" stands for "state", I've provided the code for California
• "L" stands for "locality", this usually means city.
• The "emailAddress" is simply a contact email address.

Like I said, CN is the most important one. Its value needs to literally be the domain name of your Gemini capsule. This is directly related to the security of the Gemini protocol ("I'm trying to visit foo.com but you're giving me a certificate that says it's for somwhere-else.com, what gives?")

Now you have to install this `openssl.cnf` to some place where OpenSSL will look. On my NetBSD machine, that's simply `/etc/openssl/openssl.cnf`.

FINALLY we can run some openssl(1) commands. We're going to create a few files. I've decided to name these files after the hostname of the Gemini server itself ("antlers" here).

First, we need to create a RSA private key:

$ openssl genrsa -out antlers.key

Then we make a certificate signing request:

$ openssl req -new -key antlers.key -out antlers.csr

OpenSSL will ask for user input at this stage. In my experience, you have to *again* type in all the information we typed in earlier, despite the prompts. Basically, any time OpenSSL suggests a default value, type it in again.

Then we create the new certificate and sign it with the private key. In this example, the certificate is valid for 1 year (365 days):

$ openssl x509 -req -days 365 -in antlers.csr -signkey antlers.key -out antlers.cert

That's it!

Your Gemini server software will require that you provide a key (that's "antlers.key") and a certificate (that's "antlers.cert") -- good thing you already read this article!