Trusting Your Own Authority

Posted: 15/10/22

When migrating the pestilence that is Wordpress to a new server, it's sometimes handy to use a virtual host with the same domain name, to avoid the mess that otherwise splashes on your shoes when Wordpress inevitably tries to reference it's embedded domain settings. While faking the DNS is easy, faking SSL not so much.

The issue we sometimes face is that we're required to extract or otherwise extricate a Wordpress install from a borked host, or other unsatisfactory provider and restore it on to a new server. We don't always have control of the DNS at this time, since it's a data recovery exercise.

Unfortunately, Wordpress has a habit of saving the domain that it's running on through the database. Yes, you can change it in the dashboard config, or hard code it in the wp-config file, but you will still find places where the exceptionally poor data model that Wordpress' database uses stores serialised data including domain in the database.

Add to that the fact that most if not all permalinks are full URLs, not relative, and you've got a problem. The simplest way out of this then is to make sure the virtual host you're running it on matches the original. Changing the DNS via the hosts file is the simple part, but these days most sites use SSL and that can be a lot more fun particularly if you don't yet have the ability to generate a free SSL certificate or control the actual DNS to generate a domain validated certificate.

How to solve this issue then? Become your own Certificate Authority!

Becoming a Certificate Authority is actually pretty simple. It boils down to a couple of  commands with OpenSSL. First generate a private key:

openssl genrsa -des3 -out JeRoCA.key 2048

Next, generate a root certificate:

openssl req -x509 -new -nodes -key JeRoCA.key -sha256 -days 1825 -out JeRoCA.pem

Congratulations! You're now a Certificate Authority.

The next critical step is to import your CA certificate into each of your devices that you want to use your target certificate with. There are various tutorials around the web for that.

Assuming you have now trusted your certificate authority in your browser, the next step is to generate the certificate for the domain that Wordpress is hanging on to for grim death. Just to be different, we'll use example.com as our domain.

You'll need to prepare a small text file, v3.ext with the following content:

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints       = CA:FALSE
keyUsage               = digitalSignature, keyEncipherment
subjectAltName         = DNS:example.com,DNS:*.example.com
issuerAltName          = issuer:copy

Now you'll need to generate a private key for the example.com domain:

openssl genrsa -out example.com.key 2048

..and now a certificate signing request:

openssl req -new -key example.com.key -out example.com.csr

And now you sign your life away:

openssl x509 -req -in example.com.csr -CA JeRoCA.pem -CAkey JeRoCA.key \
-CAcreateserial -out example.com.crt -days 825 -sha256 -extfile v3.ext

The last remaining step is to update your webserver config to use the example.com certificate and key.

....and for the record, this process is entirely for development/test sites and won't work on any other device except the one(s) you imported your CA cert into.