Difference between revisions of "SSL Certificates For Local Network"

From Nearline Storage
Jump to navigation Jump to search
Line 48: Line 48:
 
# Set the <code>SSLCertificateKeyFile</code> option in the <code>VirtualHost</code> definition to be the server's private key file exported in the step above.
 
# Set the <code>SSLCertificateKeyFile</code> option in the <code>VirtualHost</code> definition to be the server's private key file exported in the step above.
 
# Restart the httpd service
 
# Restart the httpd service
 +
 +
==== On a Unifi Dream Machine firewall/router/switch ====
 +
 +
# Copy the server's full chain file to <code>/mnt/data/unifi-os/unifi-core/config/unifi-core.crt</code>
 +
# Copy the server's key file to <code>/mnt/data/unifi-os/unifi-core/config/unifi-core.key</code>
 +
# <code>unifi-os restart</code>
  
 
==== In the ntopng application on Linux ====
 
==== In the ntopng application on Linux ====

Revision as of 20:36, 4 February 2021

This page is about creating and installing SSL certificates on servers on my local LAN.

Managing Certificates

I use the XCA tool to manage my certificates.

The first step is to create a certificate database which will contain all of my certicates, File -> New Database. I called it localdomain-ca.xdb.

Create a root certificate for your private "certificate authority"

  1. Select the Certificates tab,
  2. Click New Certificate button,
  3. Select the Source tab and select [default] CA under Template for new certificate. Click the Apply all button,
  4. Select the Subject tab and fill in the Internal Name and commonName fields with a name. The actual name used doesn't matter, I used "localdomain Root Certificate" for both fields.
  5. Click the Generate a new key button. Enter a name for the key. I used "Root Cert" for the name.
  6. The default life of the certificate will be 10 years. If you need to change this, go to the Extensions tab.
  7. Click the OK button at the lower right to generate and save the root certificate.
  8. Export the root certificate using the PEM (.crt) output format.

Creating a custom template for HTTPS server certificates to save some time

The [default] TLS_Server template contains all of the important settings needed for an HTTPS server's SSL certificate but it does not have any of the Subject tab's information filled in. If we make our own custom template, we can pre-fill some of those fields and save a little typing later on.

  1. Select the Templates tab,
  2. Click the New Tepmplate button and then select the [default] TLS_server from the templates popup window that appears,
  3. Set the Internal Name field to be the name that we want to use for this template,
  4. Fill in the remaining Subject page fields as you like. The only field that is important on this page is the commonName field. We will set this to the hostname (or IP address) of the HTTPS server we are creating a certificate for when we use this template. Here, in the template definition, we should probably leave this blank, or maybe enter a template hostname like "*.localdomain",
  5. Click the OK button at the lower right to save this template.

Create a server certificate that is signed with your private CA's root certificate

Now we create the individual SSL server certificate for an HTTPS server.

  1. Select the root certificate we created previously and click the New Certificate button.
  2. Select the Source tab and select either the name of the custom template created in the step above or [default] TLS_server under Template for new certificate. Click the Apply all button,
  3. Select the Subject tab and fill in the Internal Name field with a name for this certificate and the commonName field with the fully-qualified hostname or IP address of the server that will use this certifcate.
  4. Click the Generate a new key button. Enter a name for the key. I use the server hostname for the name.
  5. The default life of the certificate will be 365 days. If you need to change this, go to the Extensions tab.
  6. Click the OK button at the lower right to generate and save the root certificate.
  7. Export both the server certificate combined with the CA certificate used to sign it by selecting the PEM chain (*.pem) export format.
  8. Switch to the Private Keys tab and export the private key created for this certificate using the PEM private (*.pem) export format. Change the output file's extension from "pem" to "key" so that it's clear that this is the key.

Installing the server certificate

On Fedora Apache web servers

  1. Set both the SSLCertificateFile and the SSLCertificateChainFile options in the VirtualHost definition to be the server certificate file, i.e., the full chain file, exported in the step above.
  2. Set the SSLCertificateKeyFile option in the VirtualHost definition to be the server's private key file exported in the step above.
  3. Restart the httpd service

On a Unifi Dream Machine firewall/router/switch

  1. Copy the server's full chain file to /mnt/data/unifi-os/unifi-core/config/unifi-core.crt
  2. Copy the server's key file to /mnt/data/unifi-os/unifi-core/config/unifi-core.key
  3. unifi-os restart

In the ntopng application on Linux

  1. Concatenate the server's full chain file and key file together into a single file called ntopng-cert.pem. Place this file into the /usr/share/ntopng/httpdocs/ssl directory and restart the application.

Trusting the CA certificate

In order to be able to trust the certificate being used by the webserver, each client must have a copy of the CA's root certificate in their CA trust configuration.

On Fedora Linux clients

  1. Put the certifcate authority root certificate that we exported during the first step above into the /etc/pki/ca-trust/source/anchors/ directory on each client,
  2. Run the command sudo update-ca-trust on each client,
  3. Reboot each client.
Retrieved from "https://wiki.daveking.com/index.php?title=SSL_Certificates_For_Local_Network&oldid=4477"