{"id":1277,"date":"2017-06-28T12:19:12","date_gmt":"2017-06-28T17:19:12","guid":{"rendered":"http:\/\/lisa.rushworth.us\/?p=1277"},"modified":"2017-06-28T12:23:08","modified_gmt":"2017-06-28T17:23:08","slug":"openssl-as-a-trusted-ca","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=1277","title":{"rendered":"OpenSSL As A Trusted CA"},"content":{"rendered":"<p>There are wrappers for OpenSSL that provide certificate authority functionality, but I found myself spending a lot of time trying to get any to\u00a0<em>work<\/em>. Since I only wanted to generate a few internal certificates (i.e. not something that needed a simple interface for non-techies), so I set up an OpenSSL certificate authority and used it to sign certificates.<\/p>\n<p>First, generate a public\/private keypair for your CA (use however many days you want, this is ten years:<\/p>\n<p>openssl genrsa -aes256 -out ca.key 2048<br \/>\nopenssl req -new -x509 -key ca.key -out ca.cer -days 3652 -sha256<\/p>\n<p>Take ca.cer and publish it in our domain GPO as a trusted root certificate authority (Computer Configuration =&gt; Policies =&gt; Windows Settings =&gt; Security Settings =&gt; Public Key Policies =&gt; Trusted Root Certification Authorities)<\/p>\n<p>If you are impatient, force client to update GPO. Otherwise wait. Eventually you will see your CA in the Windows computer&#8217;s certificate store as a trusted root certification authority.<\/p>\n<p><a href=\"http:\/\/lisa.rushworth.us\/wp-content\/uploads\/2017\/06\/CAPushedToDomainClient.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-1278\" src=\"http:\/\/lisa.rushworth.us\/wp-content\/uploads\/2017\/06\/CAPushedToDomainClient-1024x279.png\" alt=\"\" width=\"960\" height=\"262\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2017\/06\/CAPushedToDomainClient-1024x279.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2017\/06\/CAPushedToDomainClient-300x82.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2017\/06\/CAPushedToDomainClient-768x209.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2017\/06\/CAPushedToDomainClient.png 1135w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/a><\/p>\n<p>Now generate certificate(s) against the CA (again use whatever value for days is reasonable for your purpose):<\/p>\n<p>openssl genrsa -aes256 -out gitlab.rushworth.us.key 2048<br \/>\nopenssl req -new -key gitlab.rushworth.us.key -out gitlab.rushworth.us.req<br \/>\nopenssl x509 -req -in gitlab.rushworth.us.req -out gitlab.rushworth.us.cer -days 365 -CA \/ca\/ca.cer -CAkey \/ca\/ca.key -sha256 -CAcreateserial<\/p>\n<p>On subsequent requests, you can omit the &#8220;-CAcreateserial&#8221; option.<\/p>\n<p>In domain clients will trust your certificate. Non-domain clients will need to import the CA public key to their trust store.<\/p>\n<p><a href=\"http:\/\/lisa.rushworth.us\/wp-content\/uploads\/2017\/06\/CertIsTrusted.png\"><\/a><a href=\"http:\/\/lisa.rushworth.us\/wp-content\/uploads\/2017\/06\/TrustedCert.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1282\" src=\"http:\/\/lisa.rushworth.us\/wp-content\/uploads\/2017\/06\/TrustedCert.png\" alt=\"\" width=\"506\" height=\"644\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2017\/06\/TrustedCert.png 506w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2017\/06\/TrustedCert-236x300.png 236w\" sizes=\"auto, (max-width: 506px) 100vw, 506px\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>There are wrappers for OpenSSL that provide certificate authority functionality, but I found myself spending a lot of time trying to get any to\u00a0work. Since I only wanted to generate a few internal certificates (i.e. not something that needed a simple interface for non-techies), so I set up an OpenSSL certificate authority and used it &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[235,234,236],"class_list":["post-1277","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-certificate-authority","tag-openssl","tag-ssl"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/1277","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1277"}],"version-history":[{"count":3,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/1277\/revisions"}],"predecessor-version":[{"id":1281,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/1277\/revisions\/1281"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1277"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1277"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1277"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}