HomeWiki

User Tools

Site Tools

Trace: nvme fail2ban
networking:ssl-own-ca

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
networking:ssl-own-ca [2023/04/01 20:27] oscarnetworking:ssl-own-ca [2023/04/02 16:39] (current) – [Creating CA-Signed Certificates for Your Dev Sites] oscar
Line 1: Line 1:
-====== Own SSL CA Authority for Local HTTPS ====== +====== SSL CA Authority for Local HTTPS ======
-===== Become your own Certificate Authority =====+
 When you generate a self-signed certificate the browser doesn’t trust it. It hasn’t been signed by a CA. The way to get around this is to generate our own root certificate and private key. We then add the root certificate to all the devices we own just once, and then all the self-signed certificates we generate will be inherently trusted. When you generate a self-signed certificate the browser doesn’t trust it. It hasn’t been signed by a CA. The way to get around this is to generate our own root certificate and private key. We then add the root certificate to all the devices we own just once, and then all the self-signed certificates we generate will be inherently trusted.
 +In the example below we create wild card certificates for our local domain (home.lan).
  
-===== Step 1: Create private key for local CA Certificate =====+===== CA Key and Certificate ===== 
 +==== Step 1 : Create the CA Private Key ====
 To generate the private key to become a local CA execute: To generate the private key to become a local CA execute:
   openssl genrsa -des3 -out Home-CA.key 2048   openssl genrsa -des3 -out Home-CA.key 2048
Line 24: Line 25:
 -rw-------  1 oscar oscar 1743 Apr  1 21:52 Home-CA.key -rw-------  1 oscar oscar 1743 Apr  1 21:52 Home-CA.key
 </code> </code>
-===== Step 2: Generate a root CA certificate =====+==== Step 2: Generate the CA Root certificate ====
 Next, we generate a root certificate: Next, we generate a root certificate:
   openssl req -x509 -new -nodes -key Home-CA.key -sha256 -days 15000 -out Home-CA.pem   openssl req -x509 -new -nodes -key Home-CA.key -sha256 -days 15000 -out Home-CA.pem
Line 47: Line 48:
 When you should see the following two files: Home-CA.key (your private key) and Home-CA.pem (your root certificate), you’re now a CA.  When you should see the following two files: Home-CA.key (your private key) and Home-CA.pem (your root certificate), you’re now a CA. 
  
-===== Installing Your Root Certificate ===== +===== Creating CA-Signed Certificates for internal Lan ===== 
-To become a CA for the devices we own, we need to add the root certificate to any laptops, desktops, tablets, and phones that access your HTTPS sites. This can be a bit of a pain, but the good news is that we only have to do it once. Our root certificate will be good until it expires. +Now we’re a CA on all our devices and we can sign certificates for any new dev sites that need HTTPS.  
- +==== Step 1: Create a Private Key ==== 
-Adding the Root Certificate to Linux +First, we create a private key for the dev site. Note that we name the private key using the domain name URL of the dev site. This is not required, but it makes it easier to manage if you have multiple sites.
- +
-There are so many Linux distributions, but Ubuntu/Debian is by far the most popular. Therefore these instructions will cover Ubuntu. If it isn’t already installed, install the **ca-certificates package**.  +
-  sudo apt-get install -y ca-certificates +
-Copy the Home-CA.pem file to the **/usr/local/share/ca-certificates** directory as a Home-CA.crt file.  +
-  sudo cp ~/certs/myCA.pem /usr/local/share/ca-certificates/myCA.crt +
-Update the certificate store.  +
-  sudo update-ca-certificates +
-You can test that the certificate has been installed by running the following command: +
-  awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep Hellfish +
-If it’s installed correctly, you’ll see the details of the root certificate. +
-  subject=C = US, ST = Springfield State, L = Springfield, O = Hellfish Media, OU = 7G, CN = Hellfish Media, emailAddress = abraham@hellfish.media# +
- +
-===== Creating CA-Signed Certificates for Your Dev Sites ===== +
-Now we’re a CA on all our devices and we can sign certificates for any new dev sites that need HTTPS. First, we create a private key for the dev site. Note that we name the private key using the domain name URL of the dev site. This is not required, but it makes it easier to manage if you have multiple sites:+
   openssl genrsa -out internal.server.key 2048   openssl genrsa -out internal.server.key 2048
 +==== Step 2: Generate the CSR (certificate signing request) ====
 Then we create a CSR: Then we create a CSR:
-  openssl req -new -key internal.server.key -out internal.server.csr+  openssl req -new -key internal.server.key -extensions v3_ca -out internal.server.csr
 <code> <code>
 You’ll get all the same questions as you did above and, again, your answers don’t matter. In fact, they matter even less because you won’t be looking at this certificate in a list next to others. You’ll get all the same questions as you did above and, again, your answers don’t matter. In fact, they matter even less because you won’t be looking at this certificate in a list next to others.
Line 90: Line 78:
 An optional company name []: An optional company name []:
 </code> </code>
 +==== Step 3: Create extensions file to specify subjectAltName ====
 Finally, we’ll create an X509 V3 certificate extension config file, which is used to define the Subject Alternative Name (SAN) for the certificate. In our case, we’ll create a configuration file called internal.server.ext containing the following text: Finally, we’ll create an X509 V3 certificate extension config file, which is used to define the Subject Alternative Name (SAN) for the certificate. In our case, we’ll create a configuration file called internal.server.ext containing the following text:
 <code> <code>
-authorityKeyIdentifier=keyid,issuer 
 basicConstraints=CA:FALSE basicConstraints=CA:FALSE
-keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment +subjectAltName=DNS:*.home.lan 
-subjectAltName = @alt_names +extendedKeyUsage=serverAuth
- +
-[alt_names] +
-DNS.internal.server+
 </code> </code>
 +==== Step 4: Generate the Certificate using the CSR ====
 We’ll be running openssl x509 because the x509 command allows us to edit certificate trust settings. In this case we’re using it to sign the certificate in conjunction with the config file, which allows us to set the Subject Alternative Name. I originally found this answer on Stack Overflow. We’ll be running openssl x509 because the x509 command allows us to edit certificate trust settings. In this case we’re using it to sign the certificate in conjunction with the config file, which allows us to set the Subject Alternative Name. I originally found this answer on Stack Overflow.
  
Line 106: Line 91:
   openssl x509 -req -in internal.server.csr -CA Home-CA.pem -CAkey Home-CA.key -CAcreateserial -out internal.server.crt -days 15000 -sha256 -extfile internal.server.ext   openssl x509 -req -in internal.server.csr -CA Home-CA.pem -CAkey Home-CA.key -CAcreateserial -out internal.server.crt -days 15000 -sha256 -extfile internal.server.ext
 We now have three files: internal.server.key (the private key), internal.server.csr (the certificate signing request, or csr file), and internal.server.crt (the signed certificate). We can configure local web servers to use HTTPS with the private key and the signed certificate. We now have three files: internal.server.key (the private key), internal.server.csr (the certificate signing request, or csr file), and internal.server.crt (the signed certificate). We can configure local web servers to use HTTPS with the private key and the signed certificate.
 +
 +===== Installing Your Root Certificate =====
 +To become a CA for the devices we own, we need to add the root certificate to any laptops, desktops, tablets, and phones that access your HTTPS sites. This can be a bit of a pain, but the good news is that we only have to do it once. Our root certificate will be good until it expires.
 +
 +Adding the Root Certificate to Linux
 +
 +There are so many Linux distributions, but Ubuntu/Debian is by far the most popular. Therefore these instructions will cover Ubuntu. If it isn’t already installed, install the **ca-certificates package**. 
 +  sudo apt-get install -y ca-certificates
 +Copy the Home-CA.pem file to the **/usr/local/share/ca-certificates** directory as a Home-CA.crt file. 
 +  sudo cp ~/certs/myCA.pem /usr/local/share/ca-certificates/myCA.crt
 +Update the certificate store. 
 +  sudo update-ca-certificates
 +You can test that the certificate has been installed by running the following command:
 +  awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep Hellfish
 +If it’s installed correctly, you’ll see the details of the root certificate.
 +  subject=C = US, ST = Springfield State, L = Springfield, O = Hellfish Media, OU = 7G, CN = Hellfish Media, emailAddress = abraham@hellfish.media#
  
  
networking/ssl-own-ca.1680380839.txt.gz · Last modified: by oscar