Angel's Blog 2026-05-13T17:57:14Z Angel Copyright 2026, Angel SPHPBLOG SSL/TLS: Wildcard Certificate Generation 
# Create root CA
[acool@localhost tls]$openssl req --x509 --nodes --days 3650 --newkey rsa:2048 --keyout ENT-CA.key --out ENT-CA.crt

# Crate new key and signing request (Tip: remove --aes256 to remove passphrase requirement... I think)
Passphrase: mypassphrase
[acool@localhost tls]$openssl genrsa --out star-dev-localhost.key --aes256 2048
[acool@localhost tls]$openssl req --new --key star-dev-localhost.key --out star-dev-localhost.csr

# Sign request
[acool@localhost tls]$openssl x509 --req --in star-dev-localhost.csr --CA ENT-CA.crt --CAkey ENT-CA.key --CAcreateserial --days 3650 --sha256 --extfile star-dev-localhost.cnf --out star-dev-localhost.crt

# remove passphrase
[acool@localhost tls]$openssl rsa --in star-dev-localhost.key --out star-dev-localhost-nopassphrase.key

[acool@localhost tls]$ cat star-dev-localhost.cnf 
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.dev.localhost
[acool@localhost tls]$
[acool@localhost tls]


# finally, import ENT-CA.crt certificate in Chrome
# chrome://settings/certificates


Configure Nginx:
...
listen 443 ssl;
ssl_certificate /etc/ssl/certs/star-dev-localhost.crt;
ssl_certificate_key /etc/ssl/certs/star-dev-localhost-nopassphrase.key;
...
]]> https://angelcool.net/sphpblog/blog_index.php?entry=entry231116-031450 2023-11-16T00:00:00Z 2023-11-16T00:00:00Z Generate wildcard TLS certificate with Let's Encrypt and Acme.sh export GD_Key="XXXXXXXXX"
export GD_Secret="YYYYYYYY"

 # install acme.sh
[root@cia ~]#curl https://get.acme.sh | sh
...
[root@cia ~] # generate certificate
[root@cia ~] acme.sh --issue -d angelcool.net -d '*.angelcool.net' --dns dns_gd
[root@cia ~]
[root@cia ~] # install certificate where it can be read by nginx/apache server.
[root@cia ~] acme.sh --install-cert -d angelcool.net  --key-file /etc/pki/tls/certs/wildcard-angelcool.net.key  --fullchain-file /etc/pki/tls/certs/wildcard-angelcool.net.cert --reloadcmd "service nginx force-reload"
[root@cia ~]
[root@cia ~] # configure acme.sh auto upgrade
[root@cia ~] acme.sh --upgrade --auto-upgrade

Docs:
https://github.com/acmesh-official/acme.sh

The script also adds an entry to crontab for auto renewal.

Good luck!]]> https://angelcool.net/sphpblog/blog_index.php?entry=entry200804-224615 2020-08-04T00:00:00Z 2020-08-04T00:00:00Z Nginx: Setting Up HTTP authentication
Place the following two entries in nginx configuration file:

auth_basic "Restricted";                                
auth_basic_user_file /var/www/mywebsite.com/.htpasswd;

Eg:
  location / {
      root   /var/www/mywebsite.com;
      index  index.html index.htm;
      auth_basic "Restricted";                                #For Basic Auth
      auth_basic_user_file /var/www/mywebsite.com/.htpasswd;  #For Basic Auth
  }


The .htpasswd must contain:
username:password

Generate the password with this command:
[root@IBM ~]#printf "USERNAME:$(openssl passwd -crypt PASSWORD)\n" >> htpasswd
]]> https://angelcool.net/sphpblog/blog_index.php?entry=entry140508-172212 2014-05-09T00:00:00Z 2014-05-09T00:00:00Z