Hello friends,
Just about every guide that comes up on my Google search for “How to create certificate authority with OpenSSL” seems to be out-of-date. Particularly, they all guide me towards creating a certificate that gets rejected by the browser due to the “Common Name” field deprecation, and the requirement of “Subject Alternative Name” field.
Does someone know a tool that creates a Certificate Authority and signs certificates with that CA? A tool that follows modern standards, gets accepted by browsers and other common web tools. Preferably something based on OpenSSL.
If you know a guide that does this using OpenSSL, even better! But I have low hopes for this after going through dozens of guides all having the same issue I mentioned above.
Replies to Some Questions you Might Ask Me
Why not just correct those two fields you mention?
I want to make sure I am doing this right. I don’t want to keep running into errors in the future. For example, I actually did try that, and npm CLI rejected my certs without a good explanation (through browser accepts it).
Why not Let’s Encrypt?
This is for private services that are only accessible on a private network or VPN
If this is for LAN and VPN only services, why do you need TLS?
TLS still has benefits. Any device on the same network could still compromise the security of the communication without TLS. Examples: random webcam or accessory at your house, a Meta Quest VR headset, or even a compromised smartphone or computer.
Use small step CA (or other ACME tools)
I am not sure I want the added complexity of this. I only have 2 services requiring TLS now, and I don’t believe I will need to scale that much. I will have setup a way to consume the ACME server. I am happier with just a tool that spits out the certificates and I manage them that way, instead of a whole service for managing certs.
If I am over estimating the difficulty for this, please correct me.
Just use xca as a simple GUI - it can do it all.
This tutorial is what you are looking for.
It’s what I used to achieve exactly what you want :). It’s a goldmine of information and will give you exactly what you want :).
There is a lot to read and process and infos are a bit scattered arround, but everything you need to know (and more) is written there.
Good luck !
This is for private services that are only accessible on a private network or VPN
Even in that case, LE may still be easier than adding a new CA to every device that needs to talk to your services.
At least, it was for me running vault warden.
Would that even work? Pointing my domain to a 192 IP address? I don’t see how that would work.
You can use a DNS challenge to show you are in control of the domain without having anything exposed to the net. Essentially LE gives you a special value you have to add as a TXT DNS entry. LE will check if this record exists for your domain, and gives you a certificate, no public IP involved. This even allows you to create wildcard certificates.
Yeah, but you’d need to own a public domain and use it for your LAN, no? Or would it be possible to get a letsencrypt certificate for example.local?
Would this work offline? Say a device only has access to LAN; no outside access. Can it still verify correctly?
Like the other commenter said, you can use Let’s Encrypt without needing to expose anything on your network to the internet. I set it up on my network a couple of weeks ago using this guide; I couldn’t get caddy to work with duckdns but it worked with Cloudflare without any trouble.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
| Fewer Letters | More Letters |
|---|---|
| CA | (SSL) Certificate Authority |
| DNS | Domain Name Service/System |
| IP | Internet Protocol |
| SSH | Secure Shell for remote terminal access |
| SSL | Secure Sockets Layer, for transparent encryption |
| TLS | Transport Layer Security, supersedes SSL |
| VPN | Virtual Private Network |
6 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.
[Thread #535 for this sub, first seen 22nd Feb 2024, 20:25] [FAQ] [Full list] [Contact] [Source code]
Does someone know a tool that creates a Certificate Authority and signs certificates with that CA? (…) just a tool that spits out the certificates and I manage them that way, instead of a whole service for managing certs.
Yes, written in go, very small and portable: https://github.com/FiloSottile/mkcert.
Just be aware of the risks involved with running your own CA.
You’re adding a root certificate to your systems that will effectively accept any certificate issued with your CA’s key. If your PK gets stolen somehow and you don’t notice it, someone might be issuing certificates that are valid for those machines. Also real CA’s also have ways to revoke certificates that are checked by browsers (OCSP and CRLs), they may employ other techniques such as cross signing and chains of trust. All those make it so a compromised certificate is revoked and not trusted by anyone after the fact.
Why not Let’s Encrypt?
that’s fair but if your only concern is about “I do not want any public CA to know the domains and subdomains I use” you get around that.
Let’s Encrypt now allows for wildcard so you can probably do something like *.network.example.org and have an SSL certificate that will cover any subdomain under network.example (eg. host1.network.example.org). Or even better, get a wildcard like *.example and you’ll be done for everything.
I’m just suggesting this alternative because it would make your life way easier and potentially more secure without actually revealing internal subdomains to the CA.
Another option is to just issue certificates without a CA and accept them one at the time on each device. This won’t expose you to a possibly stolen CA PK and you’ll get notified if previously the accepted certificate of some host changes.
openssl req -x509 -nodes -newkey rsa:2048 \
-subj "/CN=$DOMAIN_BASE/O=$ORG_NAME/OU=$ORG_UNIT_NAME/C=$COUNTRY" \
-keyout $DOMAIN_BASE.key -out $DOMAIN_BASE.crt -days $OPT_days "${ALT_NAMES[@]}"
get a wildcard like *.example.org and you’ll be done for everything
This actually only covers the subdomain. It doesn’t extend to *.network.example.com. I spent last Saturday fighting my browsers until finding that out.
I don’t get what’s the issue… you can ask them to issue a certificate that includes wildcard subdomains and the root domain. https://community.letsencrypt.org/t/how-to-expand-certificate-with-a-wildcard-subdomain/133925
*.example.com like network.example.com only covers sub domains and not third level domains like host1.network.example.com or *.network.example.com
