this post was submitted on 22 Feb 2024
47 points (96.1% liked)

Selfhosted

39435 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Hello friends,

Just about every guide that comes up on my Google search for "How to create certificate authority with OpenSSL" seems to be out-of-date. Particularly, they all guide me towards creating a certificate that gets rejected by the browser due to the "Common Name" field deprecation, and the requirement of "Subject Alternative Name" field.

Does someone know a tool that creates a Certificate Authority and signs certificates with that CA? A tool that follows modern standards, gets accepted by browsers and other common web tools. Preferably something based on OpenSSL.

If you know a guide that does this using OpenSSL, even better! But I have low hopes for this after going through dozens of guides all having the same issue I mentioned above.

Replies to Some Questions you Might Ask Me

Why not just correct those two fields you mention?

I want to make sure I am doing this right. I don't want to keep running into errors in the future. For example, I actually did try that, and npm CLI rejected my certs without a good explanation (through browser accepts it).

Why not Let's Encrypt?

This is for private services that are only accessible on a private network or VPN

If this is for LAN and VPN only services, why do you need TLS?

TLS still has benefits. Any device on the same network could still compromise the security of the communication without TLS. Examples: random webcam or accessory at your house, a Meta Quest VR headset, or even a compromised smartphone or computer.

Use small step CA (or other ACME tools)

I am not sure I want the added complexity of this. I only have 2 services requiring TLS now, and I don't believe I will need to scale that much. I will have setup a way to consume the ACME server. I am happier with just a tool that spits out the certificates and I manage them that way, instead of a whole service for managing certs.

If I am over estimating the difficulty for this, please correct me.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 10 months ago (2 children)

I talked about this a bit in my post, but my issue with small step is it seems I have to maintain a web service and obtain my certs through API requests. I worry that this might be more hassle and setup than just generating the cert on a CLI for the two end points I have.

Am I over estimating the overhead here?

[–] [email protected] 1 points 10 months ago

I can't say if you are overstating it but, only mention that I went through a similar path. I had it multiple scripts running and it was a neverending thing.

Since I have moved to small step I never had a problem.

The biggest advantage I got is for products like opnsense, you can do automatic renewal of certificates using your internal CA.

Generating new certs is still as simple (actually much easier for me) than relying on openssl or easyrsa scripts.

[–] [email protected] 1 points 10 months ago

What?

It's a single process that runs a ca, it might well be a web service but that's built in. I use it for SSH certificates in my homelab, setup was a doddle.

Might have a look at the web cert bit, but you might find certbit can connect and get a cert