Up-to-date OpenSSL guide or tool for creating a certificate authority and self-signing TLS certificates?

piefedderatedd , 3 months ago

Maybe you were using a deprecated search engine after all ? ;-) I used one of my favorite SearXNG instances and this was in the top 5 hits, a howto with happy comments from 2022. I assume the content is still legit.

https://gist.github.com/soarez/9688998

TCB13 , 3 months ago (edited 3 months ago)

Does someone know a tool that creates a Certificate Authority and signs certificates with that CA? (...) just a tool that spits out the certificates and I manage them that way, instead of a whole service for managing certs.

Yes, written in go, very small and portable: https://github.com/FiloSottile/mkcert.

Just be aware of the risks involved with running your own CA.

You’re adding a root certificate to your systems that will effectively accept any certificate issued with your CA’s key. If your PK gets stolen somehow and you don’t notice it, someone might be issuing certificates that are valid for those machines. Also real CA’s also have ways to revoke certificates that are checked by browsers (OCSP and CRLs), they may employ other techniques such as cross signing and chains of trust. All those make it so a compromised certificate is revoked and not trusted by anyone after the fact.

Why not Let’s Encrypt?

that's fair but if your only concern is about "I do not want any public CA to know the domains and subdomains I use" you get around that.

Let's Encrypt now allows for wildcard so you can probably do something like *.network.example.org and have an SSL certificate that will cover any subdomain under network.example.org (eg. host1.network.example.org). Or even better, get a wildcard like *.example.org and you'll be done for everything.

I'm just suggesting this alternative because it would make your life way easier and potentially more secure without actually revealing internal subdomains to the CA.

Another option is to just issue certificates without a CA and accept them one at the time on each device. This won't expose you to a possibly stolen CA PK and you'll get notified if previously the accepted certificate of some host changes.

openssl req -x509 -nodes -newkey rsa:2048 \
-subj "/CN=$DOMAIN_BASE/O=$ORG_NAME/OU=$ORG_UNIT_NAME/C=$COUNTRY" \
-keyout $DOMAIN_BASE.key -out $DOMAIN_BASE.crt -days $OPT_days "${ALT_NAMES[@]}"

MaxHardwood , 3 months ago

get a wildcard like *.example.org and you'll be done for everything

This actually only covers the subdomain. It doesn't extend to *.network.example.com. I spent last Saturday fighting my browsers until finding that out.

TCB13 , 3 months ago

I don’t get what’s the issue… you can ask them to issue a certificate that includes wildcard subdomains and the root domain. https://community.letsencrypt.org/t/how-to-expand-certificate-with-a-wildcard-subdomain/133925

MaxHardwood , 3 months ago

*.example.com like network.example.com only covers sub domains and not third level domains like host1.network.example.com or *.network.example.com

TCB13 , 3 months ago

Multi-level wildcards don’t exist at all - either don’t use wildcards or use a certificate with multiple wildcard names. Eg. *.xyz.example.org + *.abc.example.org.

lal309 , 3 months ago

This video helped me most. I’m a visual learner so it was easier for me to follow this instead of a written guide. Just be careful when you are following along tutorials (especially those written more than ~9 months ago) because the majority use syntax for OpenSSL 1.1.1 but that version is now EOL. You will need to use OpenSSL 3.x syntax as it’s the currently supported version of OpenSSL.

raldone01 , 3 months ago

If you run opnsense it can do this for you. With an OK GUI.

simonmicro , 3 months ago (edited 3 months ago)

Just use xca as a simple GUI - it can do it all.

TheWilliamist , 3 months ago

This is the way.

Decronym Bot , 3 months ago (edited 3 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters	More Letters
CA	(SSL) Certificate Authority
DNS	Domain Name Service/System
IP	Internet Protocol
SSH	Secure Shell for remote terminal access
SSL	Secure Sockets Layer, for transparent encryption
TLS	Transport Layer Security, supersedes SSL
VPN	Virtual Private Network

---

6 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.

[Thread #535 for this sub, first seen 22nd Feb 2024, 20:25]
[FAQ] [Full list] [Contact] [Source code]

N0x0n , 3 months ago (edited 3 months ago)

This tutorial is what you are looking for.

It's what I used to achieve exactly what you want :). It's a goldmine of information and will give you exactly what you want :).

There is a lot to read and process and infos are a bit scattered arround, but everything you need to know (and more) is written there.

Good luck !

matcha_addict OP , 3 months ago

Looks great! I'm happy there's a lot of depth here! Will report back when I go through it. Thanks a lot!

Max_P , 3 months ago

If you want something a bit more managed, HashiCorp's Vault can do CAs and is very automation-friendly.

Max_P , 3 months ago

I used this guide a few times and it's pretty well made and general, doesn't focus on just one task or end goal, just lets you set up a proper CA with intermediates and all: https://jamielinux.com/docs/openssl-certificate-authority/

matcha_addict OP , 3 months ago

I should've linked it in my post, but unfortunately that's the first guide I tried which gave me the issues I mentioned in first paragraph :(

Did it work for you?? Browser would not accept my certs even if I trust them locally.

catloaf , 3 months ago

What browser? Firefox by default will only trust the CA certs that it keeps. You'll need to add yours or tell it to use the system cert store.

Personally, I stopped issuing certs from my own CA and started using Let's Encrypt, since everything I cared about could request them automatically.

Max_P , 3 months ago

Did you install the certificates at all the appropriate locations?

No certs like that will ever be recognized by browsers by default. You need to add your CA to your browser, and also every other applicable certificate stores. Usually that'd be /usr/share/ca-certificates or command line flags to explicitly define the chain of trust (for example, curl --cacert), or sometimes environment variables like SSL_CERT_FILE.

Also if you have an intermediate CA and only trust the root CA, the intermediate certificate needs to be bundled with the server's certificate so the browser can trace the chain of trust all the way to something it already trusts (ie. your root CA).

That's kind of a rabbit hole on its own since it varies from software to software how it's done, and also OS to OS. On Mac for example, that's managed through Keychain.

mhzawadi , 3 months ago

Have a look a small step ca
https://smallstep.com/docs/step-ca/#introduction-to-step-ca

matcha_addict OP , 3 months ago

I talked about this a bit in my post, but my issue with small step is it seems I have to maintain a web service and obtain my certs through API requests. I worry that this might be more hassle and setup than just generating the cert on a CLI for the two end points I have.

Am I over estimating the overhead here?

mb_ , 3 months ago

I can't say if you are overstating it but, only mention that I went through a similar path. I had it multiple scripts running and it was a neverending thing.

Since I have moved to small step I never had a problem.

The biggest advantage I got is for products like opnsense, you can do automatic renewal of certificates using your internal CA.

Generating new certs is still as simple (actually much easier for me) than relying on openssl or easyrsa scripts.

mhzawadi , 3 months ago

What?

It's a single process that runs a ca, it might well be a web service but that's built in. I use it for SSH certificates in my homelab, setup was a doddle.

Might have a look at the web cert bit, but you might find certbit can connect and get a cert

AbidanYre , 3 months ago (edited 3 months ago)

This is for private services that are only accessible on a private network or VPN

Even in that case, LE may still be easier than adding a new CA to every device that needs to talk to your services.

At least, it was for me running vault warden.

matcha_addict OP , 3 months ago

Would that even work? Pointing my domain to a 192 IP address? I don't see how that would work.

gratux , 3 months ago

You can use a DNS challenge to show you are in control of the domain without having anything exposed to the net. Essentially LE gives you a special value you have to add as a TXT DNS entry. LE will check if this record exists for your domain, and gives you a certificate, no public IP involved. This even allows you to create wildcard certificates.

PlexSheep , 3 months ago

Yeah, but you'd need to own a public domain and use it for your LAN, no? Or would it be possible to get a letsencrypt certificate for example.local?

tburkhol , 3 months ago

I recently moved my internal network to a public domain. [random letters].top was $1.60 at porkbun, and now I can do DNSSEC and letsencrypt. I added a pre-hook to LE's renew that briefly opens the firewall for their challenges, but now I'm going to have to look at the DNS challenge.

Almost everything I do references just hostname, with dns-search supplied by dhcp, so there was surprisingly little configuration to change when I switched domains.

lemmyvore , 3 months ago

In order to automate the DNS challenge the LE bot needs the DNS server to have an API and needs an API access token. See if your DNS service is among the ones supported.

TCB13 , 3 months ago

How are you dealing with mDNS and your custom domain? Isn't it causing... issues and mismatches?

tburkhol , 3 months ago

Haven't noticed any issues, but I'm not intentionally using mDNS. dhcpd tells all the clients where the nameserver is and issues ddns updates to bind, so I haven't needed any of the zero-config stuff. I did disable avahi on a linux server, but that was more because it was too chatty than caused any actual problems. I wouldn't think there would be any more issues between mDNS and a fake domain than between mDNS and a real, big-boy domain on the same network.

TCB13 , 3 months ago

“Big boy domains” on a network aren’t very easy to deal with. For instance sometimes you’ve devices in your network running DNS queries for your devices and they end up leaking to the outside because well… they’re FQDN… I also have experience mDNS issues due to some reason it seems to slow down a lot once you’re not using .local as your domain as well.

matcha_addict OP , 3 months ago

Would this work offline? Say a device only has access to LAN; no outside access. Can it still verify correctly?

lemmyvore , 3 months ago

The verification part is done by the LE server with your DNS server so that's not a problem. But you need to connect to the internet to launch the renewal process and to get the new certificates.

ryper , 3 months ago

Like the other commenter said, you can use Let's Encrypt without needing to expose anything on your network to the internet. I set it up on my network a couple of weeks ago using this guide; I couldn't get caddy to work with duckdns but it worked with Cloudflare without any trouble.

AbidanYre , 3 months ago

[Thread, post or comment was deleted by the author]

ryper , 3 months ago

The article sounds like you could have the A records on a local DNS service like Unbound or Pi-hole instead of public DNS. I guess maybe they just need to be defined somewhere that they'll resolve for your Caddy instance.

AbidanYre , 3 months ago

After looking at my cloudflare records, it seems I misremembered my setup.