Self Sign Certificate Creation & Configuration
Create a self-signed certificate with OpenSSL to secure a web server. This boosts HTTPS encryption, SSL security, and web authentication configuration.
ENVIRONMENT
RHEL = 8.6 [Will use this machine as Certificate Authority]
Windows = 10 [Will use this machine as Client]
Browser = Firefox & Google Chrome
Important note = either self sign or paid certificate, make sure the domain name of certificate should reflect on host machine
CERTIFICATE AUTHORITY CREATION
ROOT Certificate Authority Creation
openssl req -x509 -sha256 -days 1825 -newkey rsa:2048 -keyout rootCA.key -out rootCA.crtLAB
CERTIFICATE CREATION FOR END USER
How to create a self-signed certificate with OpenSSL
openssl genrsa -out domain.key 2048 #Key creation
openssl req -key domain.key -new -out domain.csr #CSR creation
OR
openssl req -newkey rsa:2048 -keyout domain.key -out domain.csr #Key & CSR creation in one go
openssl x509 -signkey domain.key -in domain.csr -req -days 365 -out domain.crt #Certificate creation
LAB
SIGN THE SELF SIGN CERTIFICATE FROM SELF SIGN CERTIFICATE AUTHORITY
1- Make a file with below information
vi domain.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
subjectAltName = @alt_names
[alt_names]
DNS.1 = ISC-DGB-2 #replace this with your FQDN
LAB
2- Signing self sign certificate (for endpoint machine) from local self sign Certificate Authority
openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -in domain.csr -out domain.crt -days 365 -CAcreateserial -extfile domain.ext
LAB
REMOVE PASSPHRASE FROM KEY FILE
This sometime happens when endpoint application is not capable to take passphrase for private keys with an extension of .key
LAB
You may use this certificate and key for any applications
ADD CERTIFICATE AUTHORITY CERTIFICATE IN TO CLIENT BROWSER
As an example, import the Root Certificate Authority certificate in to browser from where you access(over LAN) the endpoint machine where the self sign certificate is installed
EXAMPLE OF SELF SIGN CERTIFICATE CONFIGURATION FOR KONG & NGINX APPLICATIONS
KONG APPLICATION
open the kong configuration file and configure the settings as per the below snapshot. Make sure that the self sign certificate and private key exist on the mentioned path
vi /etc/kong/kong.conf
Add a host file entry in to local DNS server for endpoint machine where the self sign certificate is installed (In our case the kong application machines) so that it can be access by DNS name from any machine over LAN
NGINX APPLICATION
1- APPLY SSL CERTIFICATE & KEY
See the below configuration file from /etc/nginx/nginx.conf
Close the bracket at the end of file
systemctl enable nginx
systemctl restart nginx
systemctl status nginx
Now browse the website name with https protocol
1.1- OPTIONAL CONFIGURATION
This will redirect the http requests to https
2- APPLY ENCRYPTION ON SSL KEY
its not a wise decision to let the private key leave un encrypted. In the below lab we will make the key as encrypted and then apply a passphrase on the encrypted file.
step-1 openssl rsa -aes256 -in CertificateKeyUnEncrypted_NAME.key -out Encrypted.key
step-2 replace the encrypted key file under nginx.conf with the un-encrypted key
step-3 hash the ssl on; under nginx.conf file
step-4 place password in to a file and call it thru nginx.conf file (This should not means that we are securing the key. Its just a convenient way to supplying password automatically)
step-5 start the nginx service systemctl start nginx
HAPROXY APPLICATION
1- cat your_domain.crt your_domain.key > your_domain.pem
2- Its good to create a entry in host file as the certificate
Now browse from browser
https://haproxy2x.abc.com:8443
Helpful link – https://webhostinggeeks.com/howto/how-to-configure-ssl-certificate-in-haproxy/
No comments: