Skip to content

Use two-tier CA signing for browser-trustable certificates #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ryoluo merged 1 commit into from
Feb 21, 2026
Merged

Use two-tier CA signing for browser-trustable certificates #39

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,28 @@ php artisan sail-ssl:install

After containers started, you can access https://localhost.

## Trust the certificate (optional)

The plugin generates a local Root CA certificate to sign the server certificate.
You can import the Root CA into your browser to remove the security warning.

### 1. Copy the Root CA certificate to your host machine:

```sh
./vendor/bin/sail cp nginx:/etc/nginx/certs/root-ca.crt .
```

### 2. Import the certificate:

- **Chrome**: Settings > Privacy and Security > Security > Manage certificates > Authorities > Import
- **Firefox**: Settings > Privacy & Security > Security > View Certificates > Authorities > Import
- **macOS**: Double-click the `root-ca.crt` file to open Keychain Access, then set "Always Trust"

> **Note:** If you change `SSL_DOMAIN` or `SSL_ALT_NAME`, remove the Docker volume `sail-nginx` to regenerate certificates:
> ```sh
> docker volume rm sail-nginx
> ```

## Environment variables

- `SERVER_NAME`
Expand Down
38 changes: 28 additions & 10 deletions nginx/generate-ssl-cert.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,38 @@
#!/bin/sh

ME=$(basename $0)
KEY=/etc/nginx/certs/server.key
CERT=/etc/nginx/certs/server.pem
CERTS_DIR=/etc/nginx/certs
ROOT_KEY=$CERTS_DIR/root-ca.key
ROOT_CERT=$CERTS_DIR/root-ca.crt
KEY=$CERTS_DIR/server.key
CERT=$CERTS_DIR/server.pem
CSR=$CERTS_DIR/server.csr
EXT_FILE=$CERTS_DIR/server-ext.cnf
CN=$SSL_DOMAIN
SAN=$SSL_ALT_NAME

if [ -f $KEY ] && [ -f $CERT ]; then
echo "$ME: Server certificate already exists, do nothing."
else
if [ -n "$SAN" ]; then
openssl req -x509 -newkey rsa:2048 -keyout $KEY \
-out $CERT -sha256 -days 3650 -nodes -subj "/CN=$CN" -addext "subjectAltName = $SAN"
else
openssl req -x509 -newkey rsa:2048 -keyout $KEY \
-out $CERT -sha256 -days 3650 -nodes -subj "/CN=$CN"
fi
echo "$ME: Server certificate has been generated."
openssl req -x509 -newkey rsa:2048 -keyout $ROOT_KEY -out $ROOT_CERT \
-sha256 -days 3650 -nodes -subj "/CN=$CN Root CA"

openssl req -newkey rsa:2048 -keyout $KEY -out $CSR \
-nodes -subj "/CN=$CN"

{
echo "basicConstraints = CA:FALSE"
echo "keyUsage = digitalSignature, keyEncipherment"
echo "extendedKeyUsage = serverAuth"
if [ -n "$SAN" ]; then
echo "subjectAltName = $SAN"
fi
} > $EXT_FILE

openssl x509 -req -in $CSR -CA $ROOT_CERT -CAkey $ROOT_KEY \
-CAcreateserial -out $CERT -sha256 -days 3650 -extfile $EXT_FILE

rm -f $CSR $EXT_FILE $CERTS_DIR/root-ca.srl
echo "$ME: Root CA and server certificate have been generated."
echo "$ME: Import $ROOT_CERT into your browser to trust the certificate."
fi