When generating self signed SSL/TLS certs, we should be including the `-trustout` switch #2027

JedMeister · 2025-01-22T02:57:35Z

Currently our [turnkey-make-ssl-cert])https://github.com/turnkeylinux/turnkey-ssl/blob/master/turnkey-make-ssl-cert) script generate certificates with the content like this:

-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

However, at least newer versions of nginx expect self signed certs be include "TRUSTED". I.e.:

-----BEGIN TRUSTED CERTIFICATE-----
[...]
-----END TRUSTED CERTIFICATE-----

I can confirm that manually making that change allows nginx to serve via https. My reading suggests that using the -trustout switch when calling openssl will automatically do that. E.g. (this is an example I found online):

openssl req -trustout -x509 -newkey rsa:4096 -sha256 -nodes -keyout privkey.pem -out fullchain.pem -days 3650

The text was updated successfully, but these errors were encountered:

JedMeister added bug core labels Jan 22, 2025

JedMeister added this to the 19.0 milestone Jan 22, 2025

JedMeister added the turnkey-ssl TurnKey script to generate self signed SSL/TLS certs label Jan 22, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

When generating self signed SSL/TLS certs, we should be including the `-trustout` switch #2027

When generating self signed SSL/TLS certs, we should be including the `-trustout` switch #2027

JedMeister commented Jan 22, 2025

When generating self signed SSL/TLS certs, we should be including the -trustout switch #2027

When generating self signed SSL/TLS certs, we should be including the -trustout switch #2027

Comments

JedMeister commented Jan 22, 2025

When generating self signed SSL/TLS certs, we should be including the `-trustout` switch #2027

When generating self signed SSL/TLS certs, we should be including the `-trustout` switch #2027