Certificate Authority
For having valid SSL on internal resources (so you don't get a warning in the web browser, and get a nice green check) we have a certificate authority that issues and validates certificates within the network. The local domain we generates certs for is “hda.surfrock66.com.” Once you install the root CA certificate (as an administrator) on a device into the trusted root CA store, other CA issued certificates will show up as validated.
There is an easy-rsa certificate authority on sr66-crt-01. The working directory for the root CA is /etc/easy-rsa. All operations should be done as the easy-rsa user, which you can become with the command (as root) “su - easy-rsa”.
Most of the procedure for issuing a cert can be found in the script “0.RequestCert.sh” in that directory. The script assumes we are generating certs for the “hda.surfrock66.com” domain. This can be done with optional params; you can run:
./0.RequestCert.sh sr66-system-name 10.x.y.z dnsalias
“sr66-system-name” is the hostname (without fqdn) and “10.x.y.z” is the IP of the system. The third param is an optional Subject Alternative Name. This will generate a CSR cert request in “./0.CertRequests” with the timestamp and fqdn, a private key under “./0.PrivateKeys” under the FQDN, and the certificate in “./pki/issued” with the timestamp and fqdn. The private key and the cert will be written to the console so it can be copied out easily.