Differences

This shows you the differences between two versions of the page.

--- docu:tutos:misc:gen_own_trusted_ca [2020/02/08 22:00] – admin
+++ docu:tutos:misc:gen_own_trusted_ca [2020/02/08 22:54] (current) – admin
@@ Line 1: / Line 1: @@
-==== The Creation of own CAcert ====
+==== How to create your own CA root certificate ====
 \\
@@ Line 11: / Line 11: @@
 **Why not using** a let's encrypt certificate? Well, **there is cases** where the service you want to **expose on the internet is merely private** (ex: a nextcloud, music server, documentation) and there is **not a public domain name** pointing to your server, just a **local DNS server** or custom **/etc/hosts** entry.\\
 \\
-After some background on why/when using **your own CAcert** is needed, **let's get started !!**
+After some background on why/when using **your own CAcert** is needed, **let's get started !!**\\
+\\
+==== Create your CA root certificate =====
+\\
+First, we need to **create our CA signing key** (used to create signed certificates by US)\\
+**Please use a strong key!!**
+<code bash>openssl genrsa -aes256 -out AGUAKTECH.key 4096</code>
+**Create pem** (crt) file for your CAcert (**valid for 10 years**)
+<code bash>openssl req -x509 -new -nodes -key AGUAKTECH.key -sha256 -days 3650 -out AGUAKTECH.pem</code>
+\\
+==== Create a self-signed certificate for your application ====
+\\
+Generate a **new private key** for our server/domain
+<code bash>openssl genrsa -out yourdomain.com.key 4096</code>
+Generete a **san.cnf signing request** and configure your domain information
+<file bash yourdomain.com.san.cnf>
+[ req ]
+default_bits = 4096
+prompt = no
+encrypy_key = no
+default_md = sha256
+distinguished_name = dn
+req_extensions = req_ext
+[ dn ]
+# you can choose to use a wildcard or not
+#CN = *.yourdomain.com
+CN = yourdomain.com
+O = Your Domain
+OU = Your Domain
+L = Los Angeles
+ST = California
+C = EU
+[ req_ext ]
+subjectAltName = DNS: *.yourdomain.com, DNS: yourdomain.com
+</file>
+Now create a **CSR (signing request)** from the san.cnf config file created
+<code bash>
+openssl req -new -config yourdomain.com.san.cnf -nodes -key yourdomain.com.key -out
+yourdomain.com.csr
+</code>
+\\
+==== Sign your CSR with your CAcert key =====
+\\
+Given the **csr generated by the issuer** (us), **sign the certificate** to generate a crt file
+<code bash>
+# Expiration time
+# paranoid: 1 year max
+# normal: 2-3 years
+# stupid: 10 years
+openssl x509 -req -in yourdomain.com.csr -CA AGUAKTECH.pem -CAkey AGUAKTECH.key -CAcreateserial
+-out yourdomain.com.crt -days 365 -sha256
+</code>
+\\
+==== Install the generated certificate =====
+\\
+**Certificate installation** steps on firefox:
+    - Upload the **yourdomain.com.crt** file on some http server (optional)
+    - **Browse** the http resource or do it locally using the **<nowiki>file:///path/to/yourdomain.com.crt</nowiki>**
+    - **Check both** trust CA for internet and email. **Enjoy!**
+**Certificate installation** steps on a Debian-based Linux system (Optional)
+<code bash>
+# copy the .pem file to a .crt file in the appropiate path
+cp AGUAKTECH.pem /usr/local/share/ca-certificates/
+# update system certificates automatically
+update-ca-certificates
+</code>
+\\
+==== Things to consider on Reverse Proxies =====
+    * **Nginx and Apache** let you specify both the **.crt and the .key** file in **different directives**.\\
+    * **HAProxy** uses a packed .pem file which **contains the .crt and .key** file all in one (**cat yourdomain.com.crt yourdomain.com.key > yourdomain.com.pem**)

NoBIGTech Wiki Técnico

User Tools

Site Tools

Differences

Page Tools