Creating a Certificate Authority

Tired of the nag “Your communication is not private”. Creating a self-signed certs to secure communications is a start. We go deeper and make all the parts from CA to cert. X.509 are used in TLS/SSL, which is the basis for HTTPS. An X.509 cert binds an id to a public key using a digital signature.

Creating a Certificate Authority
Photo by Jason Yoder / Unsplash

Tired of the nag “Your communication is not private” on your HomeLab?

Certificates for your VM's with OpenSSL

Creating a self-signed certificate to secure network communications is a start. Now we will go deeper and make all the parts from CA to cert. See link to OpenSSL.

X.509 is an ITU standard defining the format of public key certificates. X.509 are used in TLS/SSL, which is the basis for HTTPS. An X.509 certificate binds an identity to a public key using a digital signature. A certificate contains an identity (hostname, organization, etc.) and a public key (RSA, DSA, ECDSA, ed25519, etc.), and is either signed by a Certificate Authority or is Self-Signed.

OpenSSL is a powerful tool that you can use to manage your certificates.

First we create the basic CA key and cert. Then we create certs for our services. We can make them by IP, by FQDN or as wildcards. We also need to add the root certificate to our browser.

The old default was 2048 bit but today that isn’t good any more, we use 4096. The CA can be valid for more than a year (365) you could use 3650 (10 years) 5475 (15 years) or 7300 (20 years), you choose .

This approach involves a few steps:

  1. Make CA
  2. Make Certs
  3. Install CA on PC and Certs to Services

You may want to work in a separate directory but will ultimately need to move your SSL certificate and private key to a specific folder or modify your nginx configuration file accordingly.

You can use a GUI based app (Apple and Linux): X - Certificate and Key management but I use CLI.

Generate the CA

Configuration files aren’t needed for normal usage, but they are essential when it comes to complex operations, such as root CA creation.

  • Generate the CA-key, you need to use a pass phrase
openssl genrsa -aes256 -out myCA-key.pem 4096
  • Generate the CA-certificate, use the pass phrase
openssl req -new -x509 -sha256 -days 3650 -key myCA-key.pem -out myCA.pem

Generate Certificate's

Create a RSA key for the certificates to be

openssl genrsa -out cert100-key.pem 4096

Create a Certificate Signing Request (CSR)

openssl req -new -sha256 -subj "/CN=yourcn" -key cert100-key.pem -out cert100.csr

Set up the SAN ext-file

We need to have a file with the info of the service we provide the certificate t0

echo "subjectAltName=DNS:your.example.com example.com,IP:10.10.40.100" >> vm100.ext

You can make one cert for all your sites:

nano mySAN.ext
subjectAltName=DNS:*.example.com DNS:example.com
Warning! - When a certificate contains alternative names, all common names are ignored. Newer certificates produced by CAs may not even include any common names. For that reason, include all desired hostnames on the alternative names list.

Create the certificate

openssl x509 -req -sha256 -days 3650 -in cert100.csr -CA myCA.pem -CAkey myCA-key.pem -out cert100.pem -extfile vm100.ext -CAcreateserial

Create a full chain certificate

cat cert100.pem > fullchain.pem
cat myCA.pem >> fullchain.pem

Verify Certificates

openssl verify -CAfile ca.pem -verbose cert100.pem

If you need you can do Copy pem as crt: cp ca.pem ca.crt

Adding the certificat chain to your Proxmox server

Add the output of key and certificate chain to your Proxmox by print out and copy them over to you server at System|Cerfiticates|Upload Custom Certificate

Renaming a Proxmox server see link . Maybe also try pvecm updatecerts --force

cat cert100-key.pem
cat fullchain.pem

Install the root certificate to your PC

Debian

Move ca.pem to /usr/local/share/ca-certificates/ca.crt and update Cert Store sudo update-ca-certificates

Arch, as root

sudo su -
trust anchor --store ca.crt

See wiki page here

Windows

certutil.exe -addstore root C:\ca.pem

Apple Mac

sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" ca.pem

Or use the Keychain App

Keys
Photo by Jozsef Hocza / Unsplash