NoBIGTech Wiki Técnico

User Tools

Site Tools

Trace:
docu:tutos:misc:gen_own_trusted_ca

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision 		Previous revision
docu:tutos:misc:gen_own_trusted_ca [2020/02/08 21:53]
admin created 		docu:tutos:misc:gen_own_trusted_ca [2020/02/08 22:54] (current)
admin
Line 1: Line 1:
-==== The Creation of own CAcert ====+==== How to create your own CA root certificate ====
  
 \\ \\
Line 7: Line 7:
 So, how do you solve this?. By creating your **own CA certificate** and importing it either on your system, or on your Firefox Independent CAcert list.\\ So, how do you solve this?. By creating your **own CA certificate** and importing it either on your system, or on your Firefox Independent CAcert list.\\
 \\ \\
-This will turn a **self-signed** tls warning into a **shining green lock**, which will ensure the connection to your server is **not tampered**. In case it gets tampered, a warning will appear on your browser and you will **easily notice someone is modifying** your tls handshake.+This will turn a **self-signed** tls warning into a **shining green lock**, which will ensure the connection to your server is **not tampered**. In case it gets tampered, a warning will appear on your browser and you will **easily notice someone is modifying** your tls handshake.\\ 
 +\\ 
 +**Why not using** a let's encrypt certificate? Well, **there is cases** where the service you want to **expose on the internet is merely private** (ex: a nextcloud, music server, documentation) and there is **not a public domain name** pointing to your server, just a **local DNS server** or custom **/etc/hosts** entry.\\ 
 +\\ 
 +After some background on why/when using **your own CAcert** is needed, **let's get started !!**\\ 
 + 
 +\\ 
 +==== Create your CA root certificate ===== 
 +\\ 
 +First, we need to **create our CA signing key** (used to create signed certificates by US)\\ 
 +**Please use a strong key!!** 
 +<code bash>openssl genrsa -aes256 -out AGUAKTECH.key 4096</code> 
 + 
 +**Create pem** (crt) file for your CAcert (**valid for 10 years**) 
 +<code bash>openssl req -x509 -new -nodes -key AGUAKTECH.key -sha256 -days 3650 -out AGUAKTECH.pem</code> 
 + 
 +\\ 
 +==== Create a self-signed certificate for your application ==== 
 +\\ 
 +Generate a **new private key** for our server/domain 
 +<code bash>openssl genrsa -out yourdomain.com.key 4096</code> 
 + 
 +Generete a **san.cnf signing request** and configure your domain information 
 +<file bash yourdomain.com.san.cnf> 
 +[ req ] 
 +default_bits = 4096 
 +prompt = no 
 +encrypy_key = no 
 +default_md = sha256 
 +distinguished_name = dn 
 +req_extensions = req_ext 
 + 
 +[ dn ] 
 +# you can choose to use a wildcard or not 
 +#CN = *.yourdomain.com 
 +CN = yourdomain.com 
 +O = Your Domain 
 +OU = Your Domain 
 +L = Los Angeles 
 +ST = California 
 +C = EU 
 + 
 +[ req_ext ] 
 +subjectAltName = DNS: *.yourdomain.com, DNS: yourdomain.com 
 +</file> 
 + 
 +Now create a **CSR (signing request)** from the san.cnf config file created 
 +<code bash> 
 +openssl req -new -config yourdomain.com.san.cnf -nodes -key yourdomain.com.key -out 
 +yourdomain.com.csr 
 +</code> 
 + 
 +\\ 
 +==== Sign your CSR with your CAcert key ===== 
 +\\ 
 +Given the **csr generated by the issuer** (us), **sign the certificate** to generate a crt file 
 +<code bash> 
 +# Expiration time 
 +# paranoid: 1 year max 
 +# normal: 2-3 years 
 +# stupid: 10 years 
 +openssl x509 -req -in yourdomain.com.csr -CA AGUAKTECH.pem -CAkey AGUAKTECH.key -CAcreateserial 
 +-out yourdomain.com.crt -days 365 -sha256 
 +</code> 
 + 
 +\\ 
 +==== Install the generated certificate ===== 
 +\\ 
 +**Certificate installation** steps on firefox: 
 +    - Upload the **yourdomain.com.crt** file on some http server (optional) 
 +    - **Browse** the http resource or do it locally using the **<nowiki>file:///path/to/yourdomain.com.crt</nowiki>** 
 +    - **Check both** trust CA for internet and email. **Enjoy!** 
 + 
 +**Certificate installation** steps on a Debian-based Linux system (Optional) 
 +<code bash> 
 +# copy the .pem file to a .crt file in the appropiate path 
 +cp AGUAKTECH.pem /usr/local/share/ca-certificates/ 
 +# update system certificates automatically 
 +update-ca-certificates 
 +</code> 
 + 
 +\\ 
 +==== Things to consider on Reverse Proxies ===== 
 +    * **Nginx and Apache** let you specify both the **.crt and the .key** file in **different directives**.\\ 
 +    * **HAProxy** uses a packed .pem file which **contains the .crt and .key** file all in one (**cat yourdomain.com.crt yourdomain.com.key > yourdomain.com.pem**)
docu/tutos/misc/gen_own_trusted_ca.1581198784.txt.gz · Last modified: 2020/02/08 21:53 by admin

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki