Skip to content

Instantly share code, notes, and snippets.

@OnkelDom

OnkelDom/CA Setup.md

Last active March 20, 2021 21:47
Show Gist options
  • Save OnkelDom/d7fb83a6a847045c27f904f570bedfa0 to your computer and use it in GitHub Desktop.
Save OnkelDom/d7fb83a6a847045c27f904f570bedfa0 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
CA Setup.md

Create your own certificate authority

CA Key erstellen:

openssl genrsa -aes256 -out ca-key.pem 4096

CA erstellen:

openssl req -x509 -new -nodes -extensions v3_ca -key ca-key.pem -days 3650 -out ca-root.pem -sha512 -subj '/C=DE/ST=Hessen/L=Heusenstamm/O=OnkelDom/OU=Ops/CN=onkeldom.lan/emailAddress=certs@onkeldom.eu'

Import your own certificate authority

Debian, Ubuntu

sudo openssl x509 -outform der -in ca-root.pem -out ca-root.crt
sudo cp ca-root.crt /usr/share/ca-certificates/ca-root.crt
sudo dpkg-reconfigure ca-certificates

CentOS, Fedora

sudo cp ca-root.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

Generate certificates

You need the subject alternative name field for Google Chrome browser. See https://www.chromestatus.com/features/4981025180483584

Generate private key without password

openssl genrsa -out cert-key.pem 4096

Generate certificate for single host

openssl req -new -subj '/C=DE/ST=Hessen/L=Heusenstamm/O=OnkelDom/OU=Ops/CN=unifi.infra.onkeldom.lan/emailAddress=certs@onkeldom.eu' -key cert-key.pem -out unifi.infra.onkeldom.lan.csr -sha512
openssl x509 -req -in unifi.infra.onkeldom.lan.csr -CA ca-root.pem -CAkey ca-key.pem -CAcreateserial -out unifi.infra.onkeldom.lan.pem -days 365 -sha512 -extfile <(printf "subjectAltName=DNS:unifi.infra.onkeldom.lan")
# you can add more subjectAltName with -extfile <(printf "subjectAltName=DNS:unifi.infra.onkeldom.lan,DNS:www.unifi.infra.onkeldom.lan")

Generate wildcard certificates

# CN = *.infra.onkeldom.lan
openssl req -new -subj '/C=DE/ST=Hessen/L=Heusenstamm/O=OnkelDom/OU=Ops/CN=*.infra.onkeldom.lan/emailAddress=certs@onkeldom.eu' -key cert-key.pem -out infra.onkeldom.lan.csr -sha512
openssl x509 -req -in infra.onkeldom.lan.csr -CA ca-root.pem -CAkey ca-key.pem -CAcreateserial -out infra.onkeldom.lan.pem -days 365 -sha512 -extfile <(printf "subjectAltName=DNS:*.infra.onkeldom.lan")

# CN = *.mgmt.onkeldom.lan
openssl req -new -subj '/C=DE/ST=Hessen/L=Heusenstamm/O=OnkelDom/OU=Ops/CN=*.mgmt.onkeldom.lan/emailAddress=certs@onkeldom.eu' -key cert-key.pem -out mgmt.onkeldom.lan.csr -sha512
openssl x509 -req -in mgmt.onkeldom.lan.csr -CA ca-root.pem -CAkey ca-key.pem -CAcreateserial -out mgmt.onkeldom.lan.pem -days 365 -sha512 -extfile <(printf "subjectAltName=DNS:*.mgmt.onkeldom.lan")

# CN = *.pub.onkeldom.lan
openssl req -new -subj '/C=DE/ST=Hessen/L=Heusenstamm/O=OnkelDom/OU=Ops/CN=*.pub.onkeldom.lan/emailAddress=certs@onkeldom.eu' -key cert-key.pem -out pub.onkeldom.lan.csr -sha512
openssl x509 -req -in pub.onkeldom.lan.csr -CA ca-root.pem -CAkey ca-key.pem -CAcreateserial -out pub.onkeldom.lan.pem -days 365 -sha512 -extfile <(printf "subjectAltName=DNS:*.pub.onkeldom.lan")

# CN = *.onkeldom.lan
openssl req -new -subj '/C=DE/ST=Hessen/L=Heusenstamm/O=OnkelDom/OU=Ops/CN=onkeldom.lan/emailAddress=certs@onkeldom.eu' -key cert-key.pem -out onkeldom.lan.csr -sha512
openssl x509 -req -in onkeldom.lan.csr -CA ca-root.pem -CAkey ca-key.pem -CAcreateserial -out onkeldom.lan.pem -days 365 -sha512 -extfile <(printf "subjectAltName=DNS:onkeldom.lan,DNS:*.onkeldom.lan")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment