Difference between revisions of "SSL Certificates For Local Network"

From Nearline Storage
Jump to navigation Jump to search
 
(3 intermediate revisions by the same user not shown)
Line 35: Line 35:
 
# Select the <code>Source</code> tab and select either the name of the custom template created in the step above or <code>[default] TLS_server</code> under <code>Template for new certificate</code>.  Click the <code>Apply all</code> button,
 
# Select the <code>Source</code> tab and select either the name of the custom template created in the step above or <code>[default] TLS_server</code> under <code>Template for new certificate</code>.  Click the <code>Apply all</code> button,
 
# Select the <code>Subject</code> tab and fill in the <code>Internal Name</code> field with a name for this certificate and the <code>commonName</code> field with the fully-qualified hostname or IP address of the server that will use this certifcate.
 
# Select the <code>Subject</code> tab and fill in the <code>Internal Name</code> field with a name for this certificate and the <code>commonName</code> field with the fully-qualified hostname or IP address of the server that will use this certifcate.
 +
#* '''Note:''' If you create a certificate for your entire domain using a wildcard for the hostname, i.e., <code>*.localdomain</code>, this is called a wildcard certificate and it is valid for any and all servers whose hostnames match that wildcard pattern.  That's one way to simplify things.  Create one certificate and use that same certificate on all of the servers within that domain.
 
# Click the <code>Generate a new key</code> button.  Enter a name for the key.  I use the server hostname for the name.
 
# Click the <code>Generate a new key</code> button.  Enter a name for the key.  I use the server hostname for the name.
 
# The default life of the certificate will be 365 days.  If you need to change this, go to the <code>Extensions</code> tab.
 
# The default life of the certificate will be 365 days.  If you need to change this, go to the <code>Extensions</code> tab.
# To add additional server hostnames that this certificate can be used for:
+
# ''Optional:'' To add additional server hostnames that this certificate can be used for:
 
## Click the <code>Edit</code> button next to the <code>X509v3 Subject Alternative Name</code> field on the <code>Extensions</code> tab,
 
## Click the <code>Edit</code> button next to the <code>X509v3 Subject Alternative Name</code> field on the <code>Extensions</code> tab,
 
## Click the <code>Add</code> in the popup that appears, set the <code>Type</code> field to "DNS" and the <code>Content</code> to the additional hostname.  Repeat until all the names you want to support have been added.
 
## Click the <code>Add</code> in the popup that appears, set the <code>Type</code> field to "DNS" and the <code>Content</code> to the additional hostname.  Repeat until all the names you want to support have been added.
Line 54: Line 55:
  
 
==== On a Unifi Dream Machine (UDM/UDM-Pro) firewall/router/switch ====
 
==== On a Unifi Dream Machine (UDM/UDM-Pro) firewall/router/switch ====
 +
 +
'''WARNING:''' Don't do this, it prevents Protect mobile phone and Android TV apps from working.  Stick with the self-signed certificates as distributed.
  
 
# Copy the server's full chain file to <code>/mnt/data/unifi-os/unifi-core/config/unifi-core.crt</code>
 
# Copy the server's full chain file to <code>/mnt/data/unifi-os/unifi-core/config/unifi-core.crt</code>
Line 61: Line 64:
 
==== In the ntopng application on Linux ====
 
==== In the ntopng application on Linux ====
  
#  Concatenate the server's full chain file and key file together into a single file called <code>ntopng-cert.pem</code>.  Place this file into the <code>/usr/share/ntopng/httpdocs/ssl</code> directory and restart the application.
+
#  Concatenate the server's full chain file and key file together into a single file, <code>/usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem</code>, and restart the application.
  
 
=== Trusting the CA certificate ===
 
=== Trusting the CA certificate ===

Latest revision as of 19:46, 5 April 2021

This page is about creating and installing SSL certificates on servers on my local LAN.

Managing Certificates

I use the XCA tool to manage my certificates.

The first step is to create a certificate database which will contain all of my certicates, File -> New Database. I called it localdomain-ca.xdb.

Create a root certificate for your private "certificate authority"

  1. Select the Certificates tab,
  2. Click New Certificate button,
  3. Select the Source tab and select [default] CA under Template for new certificate. Click the Apply all button,
  4. Select the Subject tab and fill in the Internal Name and commonName fields with a name. The actual name used doesn't matter, I used "localdomain Root Certificate" for both fields.
  5. Click the Generate a new key button. Enter a name for the key. I used "Root Cert" for the name.
  6. The default life of the certificate will be 10 years. If you need to change this, go to the Extensions tab.
  7. Click the OK button at the lower right to generate and save the root certificate.
  8. Export the root certificate using the PEM (.crt) output format.

Creating a custom template for HTTPS server certificates to save some time

The [default] TLS_Server template contains all of the important settings needed for an HTTPS server's SSL certificate but it does not have any of the Subject tab's information filled in. If we make our own custom template, we can pre-fill some of those fields and save a little typing later on.

  1. Select the Templates tab,
  2. Click the New Tepmplate button and then select the [default] TLS_server from the templates popup window that appears,
  3. Set the Internal Name field to be the name that we want to use for this template,
  4. Fill in the remaining Subject page fields as you like. The only field that is important on this page is the commonName field. We will set this to the hostname (or IP address) of the HTTPS server we are creating a certificate for when we use this template. Here, in the template definition, we should probably leave this blank, or maybe enter a template hostname like "*.localdomain",
  5. Click the OK button at the lower right to save this template.

Create a server certificate that is signed with your private CA's root certificate

Now we create the individual SSL server certificate for an HTTPS server.

  1. Select the root certificate we created previously and click the New Certificate button.
  2. Select the Source tab and select either the name of the custom template created in the step above or [default] TLS_server under Template for new certificate. Click the Apply all button,
  3. Select the Subject tab and fill in the Internal Name field with a name for this certificate and the commonName field with the fully-qualified hostname or IP address of the server that will use this certifcate.
    • Note: If you create a certificate for your entire domain using a wildcard for the hostname, i.e., *.localdomain, this is called a wildcard certificate and it is valid for any and all servers whose hostnames match that wildcard pattern. That's one way to simplify things. Create one certificate and use that same certificate on all of the servers within that domain.
  4. Click the Generate a new key button. Enter a name for the key. I use the server hostname for the name.
  5. The default life of the certificate will be 365 days. If you need to change this, go to the Extensions tab.
  6. Optional: To add additional server hostnames that this certificate can be used for:
    1. Click the Edit button next to the X509v3 Subject Alternative Name field on the Extensions tab,
    2. Click the Add in the popup that appears, set the Type field to "DNS" and the Content to the additional hostname. Repeat until all the names you want to support have been added.
    3. Click the Validate button to check your work, and then click the Apply button.
  7. Click the OK button at the lower right to generate and save the root certificate.
  8. Export both the server certificate combined with the CA certificate used to sign it by selecting the PEM chain (*.pem) export format.
  9. Switch to the Private Keys tab and export the private key created for this certificate using the PEM private (*.pem) export format. Change the output file's extension from "pem" to "key" so that it's clear that this is the key.

Installing the server certificate

On Fedora Apache web servers

  1. Set both the SSLCertificateFile and the SSLCertificateChainFile options in the VirtualHost definition to be the server certificate file, i.e., the full chain file, exported in the step above.
  2. Set the SSLCertificateKeyFile option in the VirtualHost definition to be the server's private key file exported in the step above.
  3. Restart the httpd service

On a Unifi Dream Machine (UDM/UDM-Pro) firewall/router/switch

WARNING: Don't do this, it prevents Protect mobile phone and Android TV apps from working. Stick with the self-signed certificates as distributed.

  1. Copy the server's full chain file to /mnt/data/unifi-os/unifi-core/config/unifi-core.crt
  2. Copy the server's key file to /mnt/data/unifi-os/unifi-core/config/unifi-core.key
  3. unifi-os restart

In the ntopng application on Linux

  1. Concatenate the server's full chain file and key file together into a single file, /usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem, and restart the application.

Trusting the CA certificate

In order to be able to trust the certificate being used by the webserver, each client must have a copy of the CA's root certificate in their CA trust configuration.

On Fedora Linux clients

  1. Put the certifcate authority root certificate that we exported during the first step above into the /etc/pki/ca-trust/source/anchors/ directory on each client,
  2. Run the command sudo update-ca-trust on each client,
  3. Reboot each client.