Creating a Certificate Authority
Tired of the nag “Your communication is not private”. Creating a self-signed certs to secure communications is a start. We go deeper and make all the parts from CA to cert. X.509 are used in TLS/SSL, which is the basis for HTTPS. An X.509 cert binds an id to a public key using a digital signature.
Tired of the nag “Your communication is not private” on your HomeLab?
Certificates for your VM's with OpenSSL
Creating a self-signed certificate to secure network communications is a start. Now we will go deeper and make all the parts from CA to cert. See link to OpenSSL.
X.509 is an ITU standard defining the format of public key certificates. X.509 are used in TLS/SSL, which is the basis for HTTPS. An X.509 certificate binds an identity to a public key using a digital signature. A certificate contains an identity (hostname, organization, etc.) and a public key (RSA, DSA, ECDSA, ed25519, etc.), and is either signed by a Certificate Authority or is Self-Signed.
OpenSSL is a powerful tool that you can use to manage your certificates.
First we create the basic CA key and cert. Then we create certs for our services. We can make them by IP, by FQDN or as wildcards. We also need to add the root certificate to our browser.
The old default was 2048 bit but today that isn’t good any more, we use 4096. The CA can be valid for more than a year (365) you could use 3650 (10 years) 5475 (15 years) or 7300 (20 years), you choose .
This approach involves a few steps:
- Make CA
- Make Certs
- Install CA on PC and Certs to Services
You may want to work in a separate directory but will ultimately need to move your SSL certificate and private key to a specific folder or modify your nginx configuration file accordingly.
You can use a GUI based app (Apple and Linux): X - Certificate and Key management but I use CLI.
Generate the CA
Configuration files aren’t needed for normal usage, but they are essential when it comes to complex operations, such as root CA creation.
- Generate the CA-key, you need to use a pass phrase
openssl genrsa -aes256 -out myCA-key.pem 4096
- Generate the CA-certificate, use the pass phrase
openssl req -new -x509 -sha256 -days 3650 -key myCA-key.pem -out myCA.pem
Generate Certificate's
Create a RSA key for the certificates to be
openssl genrsa -out cert100-key.pem 4096
Create a Certificate Signing Request (CSR)
openssl req -new -sha256 -subj "/CN=yourcn" -key cert100-key.pem -out cert100.csr
Set up the SAN ext-file
We need to have a file with the info of the service we provide the certificate t0
echo "subjectAltName=DNS:your.example.com example.com,IP:10.10.40.100" >> vm100.ext
You can make one cert for all your sites:
nano mySAN.ext
subjectAltName=DNS:*.example.com DNS:example.com
Warning! - When a certificate contains alternative names, all common names are ignored. Newer certificates produced by CAs may not even include any common names. For that reason, include all desired hostnames on the alternative names list.
Create the certificate
openssl x509 -req -sha256 -days 3650 -in cert100.csr -CA myCA.pem -CAkey myCA-key.pem -out cert100.pem -extfile vm100.ext -CAcreateserial
Create a full chain certificate
cat cert100.pem > fullchain.pem
cat myCA.pem >> fullchain.pem
Verify Certificates
openssl verify -CAfile ca.pem -verbose cert100.pem
If you need you can do Copy pem as crt: cp ca.pem ca.crt
Adding the certificat chain to your Proxmox server
Add the output of key and certificate chain to your Proxmox by print out and copy them over to you server at System|Cerfiticates|Upload Custom Certificate
Renaming a Proxmox server see link . Maybe also try pvecm updatecerts --force
cat cert100-key.pem
cat fullchain.pem
Install the root certificate to your PC
Debian
Move ca.pem to /usr/local/share/ca-certificates/ca.crt and update Cert Store sudo update-ca-certificates
Arch, as root
sudo su -
trust anchor --store ca.crt
See wiki page here
Windows
certutil.exe -addstore root C:\ca.pem
Apple Mac
sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" ca.pem
Or use the Keychain App