SSL Certificates For Local Network
This page is about creating and installing SSL certificates on servers on my local LAN.
Managing Certificates
I use the XCA tool to manage my certificates.
The first step is to create a certificate database which will contain all of my certicates, File -> New Database
. I called it localdomain-ca.xdb
.
Create a root certificate for your private "certificate authority"
- Select the
Certificates
tab, - Click
New Certificate
button, - Select the
Source
tab and select[default] CA
underTemplate for new certificate
. Click theApply all
button, - Select the
Subject
tab and fill in theInternal Name
andcommonName
fields with a name. The actual name used doesn't matter, I used "localdomain Root Certificate" for both fields. - Click the
Generate a new key
button. Enter a name for the key. I used "Root Cert" for the name. - The default life of the certificate will be 10 years. If you need to change this, go to the
Extensions
tab. - Click the
OK
button at the lower right to generate and save the root certificate. - Export the root certificate using the
PEM (.crt)
output format.
Creating a custom template for HTTPS server certificates to save some time
The [default] TLS_Server
template contains all of the important settings needed for an HTTPS server's SSL certificate but it does not have any of the Subject
tab's information filled in. If we make our own custom template, we can pre-fill some of those fields and save a little typing later on.
- Select the
Templates
tab, - Click the
New Tepmplate
button and then select the[default] TLS_server
from the templates popup window that appears, - Set the
Internal Name
field to be the name that we want to use for this template, - Fill in the remaining Subject page fields as you like. The only field that is important on this page is the
commonName
field. We will set this to the hostname (or IP address) of the HTTPS server we are creating a certificate for when we use this template. Here, in the template definition, we should probably leave this blank, or maybe enter a template hostname like "*.localdomain", - Click the
OK
button at the lower right to save this template.
Create a server certificate that is signed with your private CA's root certificate
Now we create the individual SSL server certificate for an HTTPS server.
- Select the root certificate we created previously and click the
New Certificate
button. - Select the
Source
tab and select either the name of the custom template created in the step above or[default] TLS_server
underTemplate for new certificate
. Click theApply all
button, - Select the
Subject
tab and fill in theInternal Name
field with a name for this certificate and thecommonName
field with the fully-qualified hostname or IP address of the server that will use this certifcate. - Click the
Generate a new key
button. Enter a name for the key. I use the server hostname for the name. - The default life of the certificate will be 365 days. If you need to change this, go to the
Extensions
tab. - Click the
OK
button at the lower right to generate and save the root certificate. - Export both the server certificate combined with the CA certificate used to sign it by selecting the
PEM chain (*.pem)
export format. - Switch to the
Private Keys
tab and export the private key created for this certificate using thePEM private (*.pem)
export format. Change the output file's extension from "pem" to "key" so that it's clear that this is the key.
Installing the server certificate
On Fedora Apache web servers
- Set both the
SSLCertificateFile
and theSSLCertificateChainFile
options in theVirtualHost
definition to be the server certificate file, i.e., the full chain file, exported in the step above. - Set the
SSLCertificateKeyFile
option in theVirtualHost
definition to be the server's private key file exported in the step above. - Restart the httpd service
In the ntopng application on Linux
- Concatenate the server's full chain file and key file together into a single file called ntopng-cert.pem. Place this file into the
/usr/share/ntopng/httpdocs/ssl
directory and restart the application.
Installing the CA certificate
On Fedora Linux clients
In order to be able to trust the certificate being used by the webserver, each client must have a copy of the CA's root certificate in their CA trust configuration. To do this on Fedora Linux:
- Put the certifcate authority root certificate that we exported during the first step above into the
/etc/pki/ca-trust/source/anchors/
directory on each client, - Run the command
sudo update-ca-trust
on each client, - Reboot each client.