Do not Let's Encrypted a single - how to make a certificate on the local certification center
This article expresses the personal opinion of the author, his vision of the world, his path, and this does not pretend to be absolutely true and objective. The author does not bear any responsibility for the consequences of using this information, he only hopes that this information will help make life easier for someone.
Why do we need all this?
War War never changes (c) Fallout
Yes, the war for its data never changes and does not stop. It goes every minute, every second, every tick of the processor.
But to hell with this pretentious garbage, let's leave it to marketers selling safety products. Today's article is small, but I hope very useful - how to make yourself a certificate signed by your own certification center.
What will not be in Article
How to set up your own certification authority
authorization under the certificate
introduction of x509
some exotic communication with the certificates
What will be in Article
How to create a certificate signed by the local certification server
how to create a certificate even if the system does not know how to generate the request
To whom it is interesting - I ask under cat
https: //myserver and by the fqdn-name https: //myserver.company.local and even for ip https://???.3
Well, in general, it so happened that the application does not know how to do anything, but it still needs a certificate. In this case, proceed as follows:
Create the file% name% .inf. In it we enter:
[Version]- Version it and in Africa version
Signature = "$ Windows NT $" - I do not know what it is, maybe prompt in comments
[NewRequest]- I hope it is clear without words
Subject = "CN = hardware.company.local";
- The canonical name to which the certificate is issued. In most cases, it is the only one. If you are not referring to the service /gland by this name (for example, simply hardware), then the certificate will not be considered valid. It is necessary to prescribe additional names (about this below)
Exportable = TRUE; - indicates whether it is possible to upload the private key. If you set false, this certificate can only be used on this server. You can not take
anywhere. KeyLength = 2048; - length of the key
KeySpec = 1; - I do not know what it is, maybe prompt in the comments
KeyUsage = 0xA0; - I do not know what it is, maybe prompt in the comments
MachineKeySet = TRUE - I do not know what it is, maybe prompt in comments
ProviderName = "Microsoft RSA SChannel Cryptographic Provider" is an encryption provider. It makes sense to change mmm Never. Well, or you know exactly why you need it.
RequestType = PKCS10; is the type of the request. you need to change if you know exactly what you're doing
[EnhancedKeyUsageExtension]- description block for which this certificate can be used
OID = ???.???.???; Server Authentication - authentication of the server
OID = ???.???.???; Client Authentication - client authentication
[RequestAttributes]- well, and foldable for snacks, additional names in the certificate
SAN = "dns = hardware.company.local &" is the fully qualified DNS name
_continue_ = "dns = hardware &" is the abbreviated name
_continue_ = "ipaddress = ???.1" - the ip address of
if you want to add more ip-addresses, or dns-names, then add the appropriate line. One line is one name or ip-address. At the end of the name or ip address must be the &. In the last line of the sign of & do not need to be set - this means that further data are available. In the last line of this sign should not be.
CertificateTemplate = TermFarm; is the name of the template, you can set it at registration
- - this icon indicates the beginning of a comment. It should not be in a file.
After we created the inf file we go to the issuing server
Run from under the admin cmd
Run certreq -new C:% cert_patch %% cert_name% .inf (source file inf) C:% cert_patch %% cert_name% .req (req file)
Run CERTREQ -attrib "CertificateTemplate: WebServer" C:% cert_patch %% cert_name% .req
attrib is the name of the template by which the certificate is made.
It determines what it is that you can certify with this certificate. It's standard authentication of the server, there are also client authentication, the code signature, the mail, and a lot of other things
C:% cert_patch %% cert_name% .csr is the path to the request file.
Maybe csr (I understand basically * nix-systems) or req (I understand windows as such)
A window will open with the selection of the certifying center:
If we were lucky and we did not make a mistake anywhere, we will have a window with a suggestion to save the file with the extension .cer - this is exactly what we need - the signed open part.
It would seem that this is happiness. But no, you need to glue the result with the closed part. To do this, run mmc from under the admin .
Add the "Certificates" snap-in
Choose "computer account" (this is important, otherwise you will not see the closed part) and in the end we get this:
Certificates -> Requests for certificates -> Certificate, right mouse button -> All tasks -> import
(if you look at the list of certificates, then we should see our certificate (it will be named the same as the Subject line in inf file)
Then -> Then choose the resulting cer -> Next -> Finish
Select our certificate -> right mouse button -> all tasks -> export
In the Next window -> Yes, export the private key (further) -> Put the "all certificates" and "export all advanced properties" checkboxes (Next) -> put the "Password" checkbox and drive an incredibly complex password 1 (in fact if somewhere far away and to someone then the password should really be complicated) Next -> choose where to save -> Done
We take the certificate and feed it to the program /piece of hardware
Nuance. Some programs require the format p12 or something like that, but it's quite elegantly accepted by pfx
Install pfx on Nginx
- Copy pfx to the machine with Nginx
- We receive from pfx the certificate
openssl pkcs12 -in mydomain.pfx -clcerts -nokeys -out mydomain.com.cer
- We obtain from pfx the private key
openssl pkcs12 -in domain.pfx -nocerts -nodes -out mydomain.com.key
It may be interesting