| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| wiki:tech:certauth [2023/01/20 11:36] – [Certificate Authority] surfrock66 | wiki:tech:certauth [2024/04/30 07:58] (current) – surfrock66 |
|---|
| [[wiki:tech|Back to Tech Documentation]] | [[wiki:tech|Back to Tech Documentation]] |
| | ---- |
| ===== Certificate Authority ===== | ===== Certificate Authority ===== |
| |
| For having valid SSL on internal resources (so you don't get a warning in the web browser, and get a nice green check) we have a certificate authority that issues and validates certificates within the network. The local domain we generates certs for is "hda.surfrock66.com." Once you install the root CA certificate (as an administrator) on a device into the trusted root CA store, other CA issued certificates will show up as validated. | For having valid SSL on internal resources (so you don't get a warning in the web browser, and get a nice green check) we have a certificate authority that issues and validates certificates within the network. The local domain we generates certs for is "hda.surfrock66.com." Once you install the root CA certificate (as an administrator) on a device into the trusted root CA store, other CA issued certificates will show up as validated. |
| |
| There is an [[https://github.com/OpenVPN/easy-rsa|easy-rsa]] certificate authority on [[wiki:inventories:tech:systems:sr66-hda|sr66-hda]]. The working directory for the root CA is /etc/easy-rsa. All operations should be done as the easy-rsa user, which you can become with the command (as root) "su - easy-rsa". | There is an [[https://github.com/OpenVPN/easy-rsa|easy-rsa]] certificate authority on [[wiki:inventories:tech:systems:sr66-crt-01|sr66-crt-01]]. The working directory for the root CA is /etc/easy-rsa. All operations should be done as the easy-rsa user, which you can become with the command (as root) "su - easy-rsa". |
| |
| Most of the procedure for issuing a cert can be found in the script "0.RequestCert.sh" in that directory. The script assumes we are generating certs for the "hda.surfrock66.com" domain. This can be done with optional params; you can run: | Most of the procedure for issuing a cert can be found in the script "0.RequestCert.sh" in that directory. The script assumes we are generating certs for the "hda.surfrock66.com" domain. This can be done with optional params; you can run: |
| "sr66-system-name" is the hostname (without fqdn) and "10.x.y.z" is the IP of the system. The third param is an optional Subject Alternative Name. This will generate a CSR cert request in "./0.CertRequests" with the timestamp and fqdn, a private key under "./0.PrivateKeys" under the FQDN, and the certificate in "./pki/issued" with the timestamp and fqdn. The private key and the cert will be written to the console so it can be copied out easily. | "sr66-system-name" is the hostname (without fqdn) and "10.x.y.z" is the IP of the system. The third param is an optional Subject Alternative Name. This will generate a CSR cert request in "./0.CertRequests" with the timestamp and fqdn, a private key under "./0.PrivateKeys" under the FQDN, and the certificate in "./pki/issued" with the timestamp and fqdn. The private key and the cert will be written to the console so it can be copied out easily. |
| |
| | ---- |
| [[wiki:tech|Back to Tech Documentation]] | [[wiki:tech|Back to Tech Documentation]] |
