[HOWTO] Create an OpenSSL certificate for your local Nextcloud instance that you can install on your phone

You can add the ssl certificate from your Nextcloud instance to your trusted credentials on your phone. By doing this you will not be asked to verify the certificate anymore. This also fixes the bug of the Notes app where you can’t accept the certificate and the app crashes. If you haven’t set up an ssl certificate for your Nextcloud I recommend doing that for security reasons. I will briefly explain how to redirect your requests to https and use ssl (with Apache2) at the end of this post.

To get the certificate working on Android you have to add some settings to the certificate.

You have to set:
basicConstraints = CA:TRUE
Otherwise the certificate will not be added to the trusted credentials on your phone.

You also have to specify the IP address of your Nextcloud server in the certificate. This can be done by setting “Subject Alternative Names”.

You can do all of this by using a modified openssl config file.

I will now explain how to setup such a certificate. You might have to use sudo if you create the certificate not in your home folder.
Start by copying the openssl config file to your certificate folder:

cp /etc/ssl/openssl.cnf /var/www/example.com/cert/modified_openssl.cnf

Now open the copied config, look for the [ req ] section and uncomment the following line:

req_extensions = v3_req

If you don’t find a line like above, you can add one.
This will make sure our next section [ v3_req ] is read/used.
In [ v3_req ] section, add following line:

subjectAltName = @alt_names

Also set:

basicConstraints = CA:TRUE

It will look like:

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:TRUE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

Finally add a new section called [ alt_names ] towards the end of the file with the local IP address of your Nextcloud.

[ alt_names ]
IP.1 =

Replace with your IP address and save the changes.

Now we can create a certificate with this config.
Start by generating a key (you don’t have to use 4096 bit):

openssl genrsa -out server.key 4096

Next, we will generate CSR using the private key above and our modified copy of the OpenSSL config file.

openssl req -new -key server.key -out server.csr -config modified_openssl.cnf -sha256

Here you have to type in the IP address you specified in the [ alt_names ] section as Common Name (otherwise the Nextcloud app won’t accept the certificate).

The last step is create the certificate by typing:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt -extensions v3_req -extfile modified_openssl.cnf

This will make the certificate last for 365 days.

To install the certificate on your Phone simply copy it to your phone and click on it or go to Settings->Security->Encryption and credentials->Install from SD card.

The following is a quick setup for SSL on your Nextcloud.
To redirect your requests to https and use an ssl certificate you have to enable the apache2 modules rewrite and ssl and edit the apache2 config:

sudo a2enmod rewrite
sudo a2enmod ssl

Edit /etc/apache2/sites-available/000-default.conf so that it looks something like this:

<VirtualHost *:80>
	DocumentRoot /var/www/example.com
	<IfModule mod_rewrite.c>
	     RewriteEngine On
	     RewriteCond %{HTTPS} off
	     RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
<IfModule mod_ssl.c>
	<VirtualHost *:443>
		DocumentRoot /var/www/example.com
		SSLEngine on
		SSLCertificateFile /var/www/example.com/cert/server.crt
		SSLCertificateChainFile /var/www/example.comr/cert/server.csr
		SSLCertificateKeyFile /var/www/example.com/cert/server.key

Thanks for reading!

Regain your privacy! Adopt /e/ the unGoogled mobile OS and online servicesphone