Both sides previous revisionPrevious revisionNext revision | Previous revision |
wiki:tech:certauth [2022/11/11 10:47] – surfrock66 | wiki:tech:certauth [2024/04/30 07:58] (current) – surfrock66 |
---|
[[wiki:tech|Back to Tech Documentation]] | [[wiki:tech|Back to Tech Documentation]] |
| ---- |
===== Certificate Authority ===== | ===== Certificate Authority ===== |
| |
For having valid SSL on internal resources (so you don't get a warning in the web browser, and get a nice green check) we have a certificate authority that issues and validates certificates within the network. The local domain we generates certs for is "hda.surfrock66.com." Once you install the root CA certificate (as an administrator) on a device into the trusted root CA store, other CA issued certificates will show up as validated. | For having valid SSL on internal resources (so you don't get a warning in the web browser, and get a nice green check) we have a certificate authority that issues and validates certificates within the network. The local domain we generates certs for is "hda.surfrock66.com." Once you install the root CA certificate (as an administrator) on a device into the trusted root CA store, other CA issued certificates will show up as validated. |
| |
There is an [[https://github.com/OpenVPN/easy-rsa|easy-rsa]] certificate authority on [[wiki:inventories:tech:systems:sr66-hda|sr66-hda]]. The working directory for the root CA is /etc/easy-rsa. All operations should be done as the easy-rsa user, which you can become with the command (as root) "su - easy-rsa". | There is an [[https://github.com/OpenVPN/easy-rsa|easy-rsa]] certificate authority on [[wiki:inventories:tech:systems:sr66-crt-01|sr66-crt-01]]. The working directory for the root CA is /etc/easy-rsa. All operations should be done as the easy-rsa user, which you can become with the command (as root) "su - easy-rsa". |
| |
Most of the procedure for issuing a cert can be found in the script "0.RequestCert.sh" in that directory. The script assumes we are generating certs for the "hda.surfrock66.com" domain. This can be done with optional params; you can run "./0.RequestCert.sh sr66-system-name 10.x.y.z" where "sr66-system-name" is the hostname (without fqdn) and "10.x.y.z" is the IP of the system. This will generate a CSR cert request in "./0.CertRequests" with the timestamp and fqdn, a private key under "./0.PrivateKeys" under the FQDN, and the certificate in "./pki/issued" with the timestamp and fqdn. The private key and the cert will be written to the console so it can be copied out easily. | Most of the procedure for issuing a cert can be found in the script "0.RequestCert.sh" in that directory. The script assumes we are generating certs for the "hda.surfrock66.com" domain. This can be done with optional params; you can run: |
| |
| ./0.RequestCert.sh sr66-system-name 10.x.y.z dnsalias |
| |
| "sr66-system-name" is the hostname (without fqdn) and "10.x.y.z" is the IP of the system. The third param is an optional Subject Alternative Name. This will generate a CSR cert request in "./0.CertRequests" with the timestamp and fqdn, a private key under "./0.PrivateKeys" under the FQDN, and the certificate in "./pki/issued" with the timestamp and fqdn. The private key and the cert will be written to the console so it can be copied out easily. |
| |
| ---- |
[[wiki:tech|Back to Tech Documentation]] | [[wiki:tech|Back to Tech Documentation]] |