Up-to-date OpenSSL guide or tool for creating a certificate authority and self-signing TLS certificates?
Up-to-date OpenSSL guide or tool for creating a certificate authority and self-signing TLS certificates?
Hello friends,
Just about every guide that comes up on my Google search for "How to create certificate authority with OpenSSL" seems to be out-of-date. Particularly, they all guide me towards creating a certificate that gets rejected by the browser due to the "Common Name" field deprecation, and the requirement of "Subject Alternative Name" field.
Does someone know a tool that creates a Certificate Authority and signs certificates with that CA? A tool that follows modern standards, gets accepted by browsers and other common web tools. Preferably something based on OpenSSL.
If you know a guide that does this using OpenSSL, even better! But I have low hopes for this after going through dozens of guides all having the same issue I mentioned above.
Replies to Some Questions you Might Ask Me
Why not just correct those two fields you mention?
I want to make sure I am doing this right. I don't want to keep running into errors in the future. For example, I actually did try that, and npm CLI rejected my certs without a good explanation (through browser accepts it).
Why not Let's Encrypt?
This is for private services that are only accessible on a private network or VPN
If this is for LAN and VPN only services, why do you need TLS?
TLS still has benefits. Any device on the same network could still compromise the security of the communication without TLS. Examples: random webcam or accessory at your house, a Meta Quest VR headset, or even a compromised smartphone or computer.
Use small step CA (or other ACME tools)
I am not sure I want the added complexity of this. I only have 2 services requiring TLS now, and I don't believe I will need to scale that much. I will have setup a way to consume the ACME server. I am happier with just a tool that spits out the certificates and I manage them that way, instead of a whole service for managing certs.
If I am over estimating the difficulty for this, please correct me.
This tutorial is what you are looking for.
It's what I used to achieve exactly what you want :). It's a goldmine of information and will give you exactly what you want :).
There is a lot to read and process and infos are a bit scattered arround, but everything you need to know (and more) is written there.
Good luck !
Looks great! I'm happy there's a lot of depth here! Will report back when I go through it. Thanks a lot!
Just use xca as a simple GUI - it can do it all.
This is the way.
This is for private services that are only accessible on a private network or VPN
Even in that case, LE may still be easier than adding a new CA to every device that needs to talk to your services.
At least, it was for me running vault warden.
Would that even work? Pointing my domain to a 192 IP address? I don't see how that would work.
You can use a DNS challenge to show you are in control of the domain without having anything exposed to the net. Essentially LE gives you a special value you have to add as a TXT DNS entry. LE will check if this record exists for your domain, and gives you a certificate, no public IP involved. This even allows you to create wildcard certificates.
Like the other commenter said, you can use Let's Encrypt without needing to expose anything on your network to the internet. I set it up on my network a couple of weeks ago using this guide; I couldn't get caddy to work with duckdns but it worked with Cloudflare without any trouble.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
Fewer Letters More Letters CA (SSL) Certificate Authority DNS Domain Name Service/System IP Internet Protocol SSH Secure Shell for remote terminal access SSL Secure Sockets Layer, for transparent encryption TLS Transport Layer Security, supersedes SSL VPN Virtual Private Network
6 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.
[Thread #535 for this sub, first seen 22nd Feb 2024, 20:25] [FAQ] [Full list] [Contact] [Source code]
I used this guide a few times and it's pretty well made and general, doesn't focus on just one task or end goal, just lets you set up a proper CA with intermediates and all: https://jamielinux.com/docs/openssl-certificate-authority/
I should've linked it in my post, but unfortunately that's the first guide I tried which gave me the issues I mentioned in first paragraph :(
Did it work for you?? Browser would not accept my certs even if I trust them locally.
Did you install the certificates at all the appropriate locations?
No certs like that will ever be recognized by browsers by default. You need to add your CA to your browser, and also every other applicable certificate stores. Usually that'd be
/usr/share/ca-certificatesor command line flags to explicitly define the chain of trust (for example,curl --cacert), or sometimes environment variables likeSSL_CERT_FILE.Also if you have an intermediate CA and only trust the root CA, the intermediate certificate needs to be bundled with the server's certificate so the browser can trace the chain of trust all the way to something it already trusts (ie. your root CA).
That's kind of a rabbit hole on its own since it varies from software to software how it's done, and also OS to OS. On Mac for example, that's managed through Keychain.
This video helped me most. I’m a visual learner so it was easier for me to follow this instead of a written guide. Just be careful when you are following along tutorials (especially those written more than ~9 months ago) because the majority use syntax for OpenSSL 1.1.1 but that version is now EOL. You will need to use OpenSSL 3.x syntax as it’s the currently supported version of OpenSSL.
Here is an alternative Piped link(s):
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I'm open-source; check me out at GitHub.
Here is an alternative Piped link(s):
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I'm open-source; check me out at GitHub.
Have a look a small step ca https://smallstep.com/docs/step-ca/#introduction-to-step-ca
I talked about this a bit in my post, but my issue with small step is it seems I have to maintain a web service and obtain my certs through API requests. I worry that this might be more hassle and setup than just generating the cert on a CLI for the two end points I have.
Am I over estimating the overhead here?
I can't say if you are overstating it but, only mention that I went through a similar path. I had it multiple scripts running and it was a neverending thing.
Since I have moved to small step I never had a problem.
The biggest advantage I got is for products like opnsense, you can do automatic renewal of certificates using your internal CA.
Generating new certs is still as simple (actually much easier for me) than relying on openssl or easyrsa scripts.
What?
It's a single process that runs a ca, it might well be a web service but that's built in. I use it for SSH certificates in my homelab, setup was a doddle.
Might have a look at the web cert bit, but you might find certbit can connect and get a cert
If you want something a bit more managed, HashiCorp's Vault can do CAs and is very automation-friendly.
If you run opnsense it can do this for you. With an OK GUI.
Maybe you were using a deprecated search engine after all ? ;-) I used one of my favorite SearXNG instances and this was in the top 5 hits, a howto with happy comments from 2022. I assume the content is still legit.