This article details using the XCA (available for at least Linux, Windows, and MacOS for creating and managing SSL certificates) software package (it is a GUI) for creating private SSL certificates for enabling end-to-end SSL on non-public servers (e.g. where Let’s Encrypt / Certbot don’t make sense or are not an option).
The usual way for your OS (e.g. on Windows, from the ‘Start’ Menu, on GNOME on Linux, click on the XCA icon in you ‘Applications’ screen, etc).
This will open a window prompting for a database. If this is is to be a new certificate store (e.g. the first time using XCA or you want a separate store for new certificates) you should create one, otherwise select an existing database and enter the password for it.
Create a Self-Signed CA (Certificate Authority)
NB Any application that will be using SSL to access a server using a certificate signed by this private CA will need to be told to trust the private CA. This varies with application, so where I use this in other articles, I provide instructions for the particular application in use.
Export the CA’s public key (.crt)
Create a server certificate and private key
Repeat ‘Add’ in this dialogue for every name (DNS) or IP by which the server will be accessed using SSL. If there none besides the CN (Common Name) , then none need to be added.
Copy the Exported Files to Your Server and/or Clients
You will need to copy the at least the server private key and certificate to you server (details are application dependent so for articles on this site will be covered in the article for the application).
Clients will need the CA certificate and possibly need to per-app configuration to use it. As with the server certificate and key, for articles on this site the details will be covered in the article for the application).
Prepare Your User Clients to Use SSL To the Server
NB This is for certificates for web servers, git server, etc where a desktop user will need to access the server via SSL.
Because we are using a private CA your browser and other desktop clients need to be told to trust the private CA.
On any Debian/Ubuntu workstation that needs to access the private CA, copy the private CA certificate (e.g. ca-private.example.com) to /usr/local/share/ca-certificates and execute update-ca-certificates
Also on any Debian/Ubuntu workstation for which Firefox needs to access the server: