Linux Technology

Configure GitLab with a Self Signed SSL Certificate and Root CA Certificate

This article will go over the steps required to create a root CA certificate and a self signed certificate for installation on a gitlab linux server. Using a self signed certificate is great for a small organization or personal use where the server is on a private network. If the server is intended for public access on the open internet, then consider purchasing an SSL certificate signed by a known authority or use a free service such as Let’s Encrypt.

The root certificate will need to be installed on each device that will access the server. This is required so that the self signed certificate is trusted by your browser or whatever software is accessing the server. Here is an excellent tutorial on how to install root CA on many OS and devices

Create the root CA certificate
Follow these steps to create your own root certificate authority certificate. After generating the certificates, place the .key in a safe location such as LastPass The .key file is the private secret data that is needed when you generate new self signed certificates. The .crt file can be shared with others who need to access servers that have your self signed certificate. This is the file that will need to be installed to allow trust of the self signed certificate.

openssl genrsa -aes256 -out your_rootCA.key 4096

openssl req -x509 -new -nodes -key your_rootCA.key -sha256 -days 3650 -out your_rootCA.crt -subj '/CN=Your Root CA/C=YourCountry/ST=YourState/L=YourCity/O=Your Organization'

Create a Gitlab SSL certificate

Gitlab requires the self signed certificate file names match the hostname. In this example we use If you do not have a domain, use the server name.

openssl req -new -nodes -out -newkey rsa:4096 -keyout -subj '/CN=Gitlab Server/C=YourCountry/ST=YourState/L=YourCity/O=Your Organization'

Next you will need to create a v3 ext file for SAN properties. This will allow you to apply multiple names such as the server name and domain name along with the static IP address of the server.

cat > gitlab.v3.ext << EOF
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
DNS.1 = yourserver.local
DNS.2 =
IP.1 =

Next create the server certificate using the v3 ext file. In this example, we set the maximum of 825 days to expiration. If you set this to a higher number, you will run into issues on the Mac operating system due to security constraints.

openssl x509 -req -in -CA your_rootCA.crt -CAkey your_rootCA.key -CAcreateserial -out -days 825 -sha256 -extfile gitlab.v3.ext

Configure GitLab

Now that the server SSL certificates are generated, you can install them on GitLab with a few steps.

  • 1. Edit /etc/gitlab/gitlab.rb
  • Set the external_url to your domain. Note the https in the URL:

    external_url ""

  • 2. Create the /etc/gitlab/ssl directory and copy your key and certificate there
    sudo mkdir -p /etc/gitlab/ssl
    sudo chmod 755 /etc/gitlab/ssl
    sudo cp /etc/gitlab/ssl/

  • 3. Reconfigure GitLab
    sudo gitlab-ctl reconfigure

    Updating Git checkouts

    Now that you have configured GitLab to use https, it will no longer serve over http. If you have local checkouts using the http repository origin, you will need to update them all manually to be https.

    git remote set-url origin


    If you run into trouble, you can use this command to see the contents of the certificates along with possible error messages.

    echo Q | openssl s_client -showcerts -verify 5 -connect

    If you see this message:

    Verify return code: 21 (unable to verify the first certificate)

    It means that you need to install the root CA certificate on the device you ran this troubleshooting command on. Check the guide linked at the top of this article for how to do this on a number of platforms. If you happen to be on a linux server you can run these commands to install the root CA.

    openssl x509 -in your_rootCA.crt -out your_rootCA.pem -outform PEM
    sudo mv your_rootCA.pem /etc/pki/ca-trust/source/anchors/
    sudo update-ca-trust

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.