[[wiki:tech|Back to Tech Documentation]]
----
===== Certificate Authority =====

For having valid SSL on internal resources (so you don't get a warning in the web browser, and get a nice green check) we have a certificate authority that issues and validates certificates within the network.  The local domain we generates certs for is "hda.surfrock66.com."  Once you install the root CA certificate (as an administrator) on a device into the trusted root CA store, other CA issued certificates will show up as validated.

There is an [[https://github.com/OpenVPN/easy-rsa|easy-rsa]] certificate authority on [[wiki:inventories:tech:systems:sr66-crt-01|sr66-crt-01]].  The working directory for the root CA is /etc/easy-rsa.  All operations should be done as the easy-rsa user, which you can become with the command (as root) "su - easy-rsa".

Most of the procedure for issuing a cert can be found in the script "0.RequestCert.sh" in that directory.  The script assumes we are generating certs for the "hda.surfrock66.com" domain.  This can be done with optional params; you can run:

./0.RequestCert.sh sr66-system-name 10.x.y.z dnsalias

"sr66-system-name" is the hostname (without fqdn) and "10.x.y.z" is the IP of the system.  The third param is an optional Subject Alternative Name.  This will generate a CSR cert request in "./0.CertRequests" with the timestamp and fqdn, a private key under "./0.PrivateKeys" under the FQDN, and the certificate in "./pki/issued" with the timestamp and fqdn.  The private key and the cert will be written to the console so it can be copied out easily.

----
[[wiki:tech|Back to Tech Documentation]]