Differences

This shows you the differences between two versions of the page.

--- networking:ssl-own-ca [2023/04/02 16:08] – oscar
+++ networking:ssl-own-ca [2023/04/02 16:39] (current) – [Creating CA-Signed Certificates for Your Dev Sites] oscar
@@ Line 1: / Line 1: @@
-====== Own SSL CA Authority for Local HTTPS ======
+====== SSL CA Authority for Local HTTPS ======
 When you generate a self-signed certificate the browser doesn’t trust it. It hasn’t been signed by a CA. The way to get around this is to generate our own root certificate and private key. We then add the root certificate to all the devices we own just once, and then all the self-signed certificates we generate will be inherently trusted.
+In the example below we create wild card certificates for our local domain (home.lan).
 ===== CA Key and Certificate =====
-==== Step 1: Create private key for local CA Certificate ====
+==== Step 1 : Create the CA Private Key ====
 To generate the private key to become a local CA execute:
   openssl genrsa -des3 -out Home-CA.key 2048
@@ Line 24: / Line 25: @@
 -rw-------  1 oscar oscar 1743 Apr  1 21:52 Home-CA.key
 </code>
-==== Step 2: Generate a root CA certificate ====
+==== Step 2: Generate the CA Root certificate ====
 Next, we generate a root certificate:
   openssl req -x509 -new -nodes -key Home-CA.key -sha256 -days 15000 -out Home-CA.pem
@@ Line 47: / Line 48: @@
 When you should see the following two files: Home-CA.key (your private key) and Home-CA.pem (your root certificate), you’re now a CA.
-===== Installing Your Root Certificate =====
+===== Creating CA-Signed Certificates for internal Lan =====
-To become a CA for the devices we own, we need to add the root certificate to any laptops, desktops, tablets, and phones that access your HTTPS sites. This can be a bit of a pain, but the good news is that we only have to do it once. Our root certificate will be good until it expires.
-Adding the Root Certificate to Linux
-There are so many Linux distributions, but Ubuntu/Debian is by far the most popular. Therefore these instructions will cover Ubuntu. If it isn’t already installed, install the **ca-certificates package**.
-  sudo apt-get install -y ca-certificates
-Copy the Home-CA.pem file to the **/usr/local/share/ca-certificates** directory as a Home-CA.crt file.
-  sudo cp ~/certs/myCA.pem /usr/local/share/ca-certificates/myCA.crt
-Update the certificate store.
-  sudo update-ca-certificates
-You can test that the certificate has been installed by running the following command:
-  awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep Hellfish
-If it’s installed correctly, you’ll see the details of the root certificate.
-  subject=C = US, ST = Springfield State, L = Springfield, O = Hellfish Media, OU = 7G, CN = Hellfish Media, emailAddress = abraham@hellfish.media#
-===== Creating CA-Signed Certificates for Your Dev Sites =====
 Now we’re a CA on all our devices and we can sign certificates for any new dev sites that need HTTPS.
 ==== Step 1: Create a Private Key ====
@@ Line 93: / Line 78: @@
 An optional company name []:
 </code>
+==== Step 3: Create extensions file to specify subjectAltName ====
 Finally, we’ll create an X509 V3 certificate extension config file, which is used to define the Subject Alternative Name (SAN) for the certificate. In our case, we’ll create a configuration file called internal.server.ext containing the following text:
 <code>
-authorityKeyIdentifier=keyid,issuer
 basicConstraints=CA:FALSE
-keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName=DNS:*.home.lan
-subjectAltName = @alt_names
+extendedKeyUsage=serverAuth
-[alt_names]
-DNS.1 = internal.server
 </code>
+==== Step 4: Generate the Certificate using the CSR ====
 We’ll be running openssl x509 because the x509 command allows us to edit certificate trust settings. In this case we’re using it to sign the certificate in conjunction with the config file, which allows us to set the Subject Alternative Name. I originally found this answer on Stack Overflow.
@@ Line 109: / Line 91: @@
   openssl x509 -req -in internal.server.csr -CA Home-CA.pem -CAkey Home-CA.key -CAcreateserial -out internal.server.crt -days 15000 -sha256 -extfile internal.server.ext
 We now have three files: internal.server.key (the private key), internal.server.csr (the certificate signing request, or csr file), and internal.server.crt (the signed certificate). We can configure local web servers to use HTTPS with the private key and the signed certificate.
+===== Installing Your Root Certificate =====
+To become a CA for the devices we own, we need to add the root certificate to any laptops, desktops, tablets, and phones that access your HTTPS sites. This can be a bit of a pain, but the good news is that we only have to do it once. Our root certificate will be good until it expires.
+Adding the Root Certificate to Linux
+There are so many Linux distributions, but Ubuntu/Debian is by far the most popular. Therefore these instructions will cover Ubuntu. If it isn’t already installed, install the **ca-certificates package**.
+  sudo apt-get install -y ca-certificates
+Copy the Home-CA.pem file to the **/usr/local/share/ca-certificates** directory as a Home-CA.crt file.
+  sudo cp ~/certs/myCA.pem /usr/local/share/ca-certificates/myCA.crt
+Update the certificate store.
+  sudo update-ca-certificates
+You can test that the certificate has been installed by running the following command:
+  awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep Hellfish
+If it’s installed correctly, you’ll see the details of the root certificate.
+  subject=C = US, ST = Springfield State, L = Springfield, O = Hellfish Media, OU = 7G, CN = Hellfish Media, emailAddress = abraham@hellfish.media#