Difference between revisions of "SSL Certificates For Local Network"
(3 intermediate revisions by the same user not shown) | |||
Line 35: | Line 35: | ||
# Select the <code>Source</code> tab and select either the name of the custom template created in the step above or <code>[default] TLS_server</code> under <code>Template for new certificate</code>. Click the <code>Apply all</code> button, | # Select the <code>Source</code> tab and select either the name of the custom template created in the step above or <code>[default] TLS_server</code> under <code>Template for new certificate</code>. Click the <code>Apply all</code> button, | ||
# Select the <code>Subject</code> tab and fill in the <code>Internal Name</code> field with a name for this certificate and the <code>commonName</code> field with the fully-qualified hostname or IP address of the server that will use this certifcate. | # Select the <code>Subject</code> tab and fill in the <code>Internal Name</code> field with a name for this certificate and the <code>commonName</code> field with the fully-qualified hostname or IP address of the server that will use this certifcate. | ||
+ | #* '''Note:''' If you create a certificate for your entire domain using a wildcard for the hostname, i.e., <code>*.localdomain</code>, this is called a wildcard certificate and it is valid for any and all servers whose hostnames match that wildcard pattern. That's one way to simplify things. Create one certificate and use that same certificate on all of the servers within that domain. | ||
# Click the <code>Generate a new key</code> button. Enter a name for the key. I use the server hostname for the name. | # Click the <code>Generate a new key</code> button. Enter a name for the key. I use the server hostname for the name. | ||
# The default life of the certificate will be 365 days. If you need to change this, go to the <code>Extensions</code> tab. | # The default life of the certificate will be 365 days. If you need to change this, go to the <code>Extensions</code> tab. | ||
− | # To add additional server hostnames that this certificate can be used for: | + | # ''Optional:'' To add additional server hostnames that this certificate can be used for: |
## Click the <code>Edit</code> button next to the <code>X509v3 Subject Alternative Name</code> field on the <code>Extensions</code> tab, | ## Click the <code>Edit</code> button next to the <code>X509v3 Subject Alternative Name</code> field on the <code>Extensions</code> tab, | ||
## Click the <code>Add</code> in the popup that appears, set the <code>Type</code> field to "DNS" and the <code>Content</code> to the additional hostname. Repeat until all the names you want to support have been added. | ## Click the <code>Add</code> in the popup that appears, set the <code>Type</code> field to "DNS" and the <code>Content</code> to the additional hostname. Repeat until all the names you want to support have been added. | ||
Line 54: | Line 55: | ||
==== On a Unifi Dream Machine (UDM/UDM-Pro) firewall/router/switch ==== | ==== On a Unifi Dream Machine (UDM/UDM-Pro) firewall/router/switch ==== | ||
+ | |||
+ | '''WARNING:''' Don't do this, it prevents Protect mobile phone and Android TV apps from working. Stick with the self-signed certificates as distributed. | ||
# Copy the server's full chain file to <code>/mnt/data/unifi-os/unifi-core/config/unifi-core.crt</code> | # Copy the server's full chain file to <code>/mnt/data/unifi-os/unifi-core/config/unifi-core.crt</code> | ||
Line 61: | Line 64: | ||
==== In the ntopng application on Linux ==== | ==== In the ntopng application on Linux ==== | ||
− | # Concatenate the server's full chain file and key file together into a single file | + | # Concatenate the server's full chain file and key file together into a single file, <code>/usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem</code>, and restart the application. |
=== Trusting the CA certificate === | === Trusting the CA certificate === |
Latest revision as of 19:46, 5 April 2021
This page is about creating and installing SSL certificates on servers on my local LAN.
Managing Certificates
I use the XCA tool to manage my certificates.
The first step is to create a certificate database which will contain all of my certicates, File -> New Database
. I called it localdomain-ca.xdb
.
Create a root certificate for your private "certificate authority"
- Select the
Certificates
tab, - Click
New Certificate
button, - Select the
Source
tab and select[default] CA
underTemplate for new certificate
. Click theApply all
button, - Select the
Subject
tab and fill in theInternal Name
andcommonName
fields with a name. The actual name used doesn't matter, I used "localdomain Root Certificate" for both fields. - Click the
Generate a new key
button. Enter a name for the key. I used "Root Cert" for the name. - The default life of the certificate will be 10 years. If you need to change this, go to the
Extensions
tab. - Click the
OK
button at the lower right to generate and save the root certificate. - Export the root certificate using the
PEM (.crt)
output format.
Creating a custom template for HTTPS server certificates to save some time
The [default] TLS_Server
template contains all of the important settings needed for an HTTPS server's SSL certificate but it does not have any of the Subject
tab's information filled in. If we make our own custom template, we can pre-fill some of those fields and save a little typing later on.
- Select the
Templates
tab, - Click the
New Tepmplate
button and then select the[default] TLS_server
from the templates popup window that appears, - Set the
Internal Name
field to be the name that we want to use for this template, - Fill in the remaining Subject page fields as you like. The only field that is important on this page is the
commonName
field. We will set this to the hostname (or IP address) of the HTTPS server we are creating a certificate for when we use this template. Here, in the template definition, we should probably leave this blank, or maybe enter a template hostname like "*.localdomain", - Click the
OK
button at the lower right to save this template.
Create a server certificate that is signed with your private CA's root certificate
Now we create the individual SSL server certificate for an HTTPS server.
- Select the root certificate we created previously and click the
New Certificate
button. - Select the
Source
tab and select either the name of the custom template created in the step above or[default] TLS_server
underTemplate for new certificate
. Click theApply all
button, - Select the
Subject
tab and fill in theInternal Name
field with a name for this certificate and thecommonName
field with the fully-qualified hostname or IP address of the server that will use this certifcate.- Note: If you create a certificate for your entire domain using a wildcard for the hostname, i.e.,
*.localdomain
, this is called a wildcard certificate and it is valid for any and all servers whose hostnames match that wildcard pattern. That's one way to simplify things. Create one certificate and use that same certificate on all of the servers within that domain.
- Note: If you create a certificate for your entire domain using a wildcard for the hostname, i.e.,
- Click the
Generate a new key
button. Enter a name for the key. I use the server hostname for the name. - The default life of the certificate will be 365 days. If you need to change this, go to the
Extensions
tab. - Optional: To add additional server hostnames that this certificate can be used for:
- Click the
Edit
button next to theX509v3 Subject Alternative Name
field on theExtensions
tab, - Click the
Add
in the popup that appears, set theType
field to "DNS" and theContent
to the additional hostname. Repeat until all the names you want to support have been added. - Click the
Validate
button to check your work, and then click theApply
button.
- Click the
- Click the
OK
button at the lower right to generate and save the root certificate. - Export both the server certificate combined with the CA certificate used to sign it by selecting the
PEM chain (*.pem)
export format. - Switch to the
Private Keys
tab and export the private key created for this certificate using thePEM private (*.pem)
export format. Change the output file's extension from "pem" to "key" so that it's clear that this is the key.
Installing the server certificate
On Fedora Apache web servers
- Set both the
SSLCertificateFile
and theSSLCertificateChainFile
options in theVirtualHost
definition to be the server certificate file, i.e., the full chain file, exported in the step above. - Set the
SSLCertificateKeyFile
option in theVirtualHost
definition to be the server's private key file exported in the step above. - Restart the httpd service
On a Unifi Dream Machine (UDM/UDM-Pro) firewall/router/switch
WARNING: Don't do this, it prevents Protect mobile phone and Android TV apps from working. Stick with the self-signed certificates as distributed.
- Copy the server's full chain file to
/mnt/data/unifi-os/unifi-core/config/unifi-core.crt
- Copy the server's key file to
/mnt/data/unifi-os/unifi-core/config/unifi-core.key
unifi-os restart
In the ntopng application on Linux
- Concatenate the server's full chain file and key file together into a single file,
/usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem
, and restart the application.
Trusting the CA certificate
In order to be able to trust the certificate being used by the webserver, each client must have a copy of the CA's root certificate in their CA trust configuration.
On Fedora Linux clients
- Put the certifcate authority root certificate that we exported during the first step above into the
/etc/pki/ca-trust/source/anchors/
directory on each client, - Run the command
sudo update-ca-trust
on each client, - Reboot each client.