Wow, it's a long time without seeing an enjoyable, deep and detailed pki video presented by somebody who really knows what he is talking about and making himself crystal clear by explaining every if and why' s!
This is an outstanding video. For anyone viewing in 2022, note that browsers now require the subjectAltName extra, so cert signing requests formed without this will not be accepted. This shows as the somewhat unhelpful error "NET::ERR_CERT_COMMON_NAME_INVALID".
Some great little nuggets in this tutorial. I feel like I'm learning a lot more than some of the other courses I've looked at. Still overwhelmed by it. We'll get there
Well I watched about half of the video and I was so lost that I just stopped... :-) It was not you, it was me. I have no idea what I would use this for so I did not see the point of finishing... What I did watch was very well done. I am sure that someone needing this information will be happy as a lark! Lol Thanks you for the video! LLAP
This is how you set things up securely for your local/remote self hosted web_server .. Openssl can also be used to encrypt files , thats worth learning for anyone, check out the 'enc' function : ) .. Likely this will lead you to gpg and its encryption function + key management. Or maybe its just me that gets sucked down these various linux terminal rabbit holes lol . -education is never wasted
@@DDBAA24 Well I don't use servers or Web servers so yep it's not for me. I don't have a use for SSH other than updating my other computers in a terminal on my local 4 computer setup... :-) It wasn't my intention to say that "education is wasted" it is not! I just don't have a use case for this. Like I said, I'm sure some will find useful... :-) LLAP
48:30 If you working with a debian system, you need to do the following to make this work: as "root" copy your "ca.crt" into the directory "/usr/local/share/ca-certificates/" cp ~/ca/root-ca/certs/ca.crt /usr/local/share/ca-certificates/ next you need to update the ca-certificates dpkg-reconfigure ca-certificates you can choose either "yes" or "ask" and after the script finishes you see: Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d.... Adding debian:ca.crt done. done.
Thank you for this. I'm a junior sysadmin and the company I work for recently created a new CA to sign certs for a large number of iOS devices. I didn't undertake the work, but was curious as to how they implemented it. This video has given me much greater insight into how they achieved the task. Whats also interesting is the different certificate requirements iOS has between iOS 12/13 and now 14.
Very good tutorial apart from two things: a) Use of CN for the server hostname was deprecated like literally 20 years before this tutorial was created. And Firefox and Chrome stopped allowing it mere months after the tutorial appeared. b) The author should warn people that "openssl ca" is not a command you want to use in a production environment because it's quite buggy and it's very easy to corrupt your index database or similar. Openssl's own documentation admits as much.
If I'm being honest, I'm probably not going to understand it properly until I actually use it in my live env, and my env is just a simple server I want to make on my Raspberry Pi 4. But I know how important security is and will learn it. Thank you for this guide!
I mostly use OpenSSL to merge end user certs + intermediate certs + key files to create PFX for IIS server upload but this was interesting content as well
Just taking notes here, how can I create the intermediate CA when I have the RootCA on a different machine? The command given in this video wouldn't work. @32:30 Is it as simple as entering that command on the rootca machine then moving the sub-ca.csr and sub-ca.crt to the subca machine??
The intermediateCA send a request to the CA. In the same way the server sends a signing request to the Intermediate CA/ The files are transferred to and from the signing authorities
@@theurbanpenguin What I'm saying is that he is locally referencing directories from the same machine in that command. But in a real situation we would have the rootCA on a different machine thus making that command not work
Thank you for this excellent explanation on buiding CA/Inter/Server certs with OpenSSL, can you provide an update that includes the use of Subject Alternate Names?
One detail thats missing I can’t seem to make work - subject alternative names. I can get SANs for the server on the CSR, but after the Sub-CA signs it, they’re gone. What am I missing in sub-ca.conf? I’d like to specify multiple fqdn’s and IP addresses as SANs This is great. Thank you.
It has generated the CSR in sub-root but whenever i put command to sign the csr file, I receive the following errot " wrong number of fields on line 1 (looking for field 6, got 1, '' left) " may be any syntax error or what ?
Just had a class where we discussed PKI. Everyone (classmates and prof.) kept saying how complicated and expensive they were to implement. I knew OpenSSL existed and was wondering why a company wouldn't just do it in-house; doesn't seem that complicated (or expensive) to me... If you want a certificate for public SSL connection, sure, pay for one from one of the big vendors. Also, can you just create different CAs for user permission levels? For instance, an intermediate CA to certify database admin keys, and another CA for database users.
Thank you very much for this such a great video. The comments too are very much helpful. I have one query in this. With the server all set with private key and certificate how does the server sends the public key to the clients and how does that show up in the communication.
Dear Andrew, you are not using alt_names and you're using one domain name as a Common Name. What if I want to use hostname, localhost, IP address ... in addition to the domain name?
hi there, qq why did you switch to the root user?can't this tutorial be done as an unprivileged user?if yes then why not show the viewers how to do it as non root and it's also good practice
Wow, it's a long time without seeing an enjoyable, deep and detailed pki video presented by somebody who really knows what he is talking about and making himself crystal clear by explaining every if and why' s!
Thank you
This is an outstanding video. For anyone viewing in 2022, note that browsers now require the subjectAltName extra, so cert signing requests formed without this will not be accepted. This shows as the somewhat unhelpful error "NET::ERR_CERT_COMMON_NAME_INVALID".
Do you know how to add that SAN field?
A million-dollar stuff is now freely available to everyone. Thank you!!!!
Some great little nuggets in this tutorial. I feel like I'm learning a lot more than some of the other courses I've looked at. Still overwhelmed by it.
We'll get there
Well I watched about half of the video and I was so lost that I just stopped... :-)
It was not you, it was me. I have no idea what I would use this for so I did not see the point of finishing...
What I did watch was very well done. I am sure that someone needing this information will be happy as a lark! Lol
Thanks you for the video!
LLAP
I understand
This is how you set things up securely for your local/remote self hosted web_server .. Openssl can also be used to encrypt files , thats worth learning for anyone, check out the 'enc' function : ) .. Likely this will lead you to gpg and its encryption function + key management. Or maybe its just me that gets sucked down these various linux terminal rabbit holes lol . -education is never wasted
@@DDBAA24 Well I don't use servers or Web servers so yep it's not for me.
I don't have a use for SSH other than updating my other computers in a terminal on my local 4 computer setup... :-)
It wasn't my intention to say that "education is wasted" it is not! I just don't have a use case for this. Like I said, I'm sure some will find useful... :-)
LLAP
Thank you! I watch this video for the second time in the last few years, this is my go-to for a refresher in openSSL.
This is brilliant! Thank you. I didn't know about openssl running a server to test. Learned something new.
48:30 If you working with a debian system, you need to do the following to make this work:
as "root" copy your "ca.crt" into the directory "/usr/local/share/ca-certificates/"
cp ~/ca/root-ca/certs/ca.crt /usr/local/share/ca-certificates/
next you need to update the ca-certificates
dpkg-reconfigure ca-certificates
you can choose either "yes" or "ask" and after the script finishes you see:
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Adding debian:ca.crt
done.
done.
This is where the magic happens...!
Can only imagine how offended the fourth horseman is right now :-)
Apart from the above, this is a fantastic little lecture.
ooops Sorry number 4
Thank you for this. I'm a junior sysadmin and the company I work for recently created a new CA to sign certs for a large number of iOS devices. I didn't undertake the work, but was curious as to how they implemented it. This video has given me much greater insight into how they achieved the task. Whats also interesting is the different certificate requirements iOS has between iOS 12/13 and now 14.
Glad it was helpful!
Very good tutorial apart from two things: a) Use of CN for the server hostname was deprecated like literally 20 years before this tutorial was created. And Firefox and Chrome stopped allowing it mere months after the tutorial appeared. b) The author should warn people that "openssl ca" is not a command you want to use in a production environment because it's quite buggy and it's very easy to corrupt your index database or similar. Openssl's own documentation admits as much.
This was awesome , Thanks Mr.Penguin
thanks
This is such a great video! Very nice explanation and demonstration!
Thank you
This video is absolutely phenomenal. Thank you.
Thank you. It is not complete. I could have added more but I am glad you liked it
Very useful information. Well presented, and quite entertaining.
Glad you enjoyed it!
Excellent video and tutorial. You made it fun to learn. Kudos!
Hola eres un gran maestro y tienes un canal estupendo
If I'm being honest, I'm probably not going to understand it properly until I actually use it in my live env, and my env is just a simple server I want to make on my Raspberry Pi 4. But I know how important security is and will learn it. Thank you for this guide!
Great video!
Thank you so much. I am glad you liked it
Awesome content! It will help me with LPIC 303 exam! Much appreciated!
wow this video is gold, amazing explanation, thanks
Super , I implemented the same on my work to create local root-CA Intermediate-CA .Thanks a lot !!!
I mostly use OpenSSL to merge end user certs + intermediate certs + key files to create PFX for IIS server upload but this was interesting content as well
Such a nice video.... It is very helpful. Thank you very much.
Wow, this course is so good, thanks a lot :)
Amazing that this is free, big thank you sir 👍
Awesome video, thank you!!! 👍
Just taking notes here, how can I create the intermediate CA when I have the RootCA on a different machine? The command given in this video wouldn't work. @32:30
Is it as simple as entering that command on the rootca machine then moving the sub-ca.csr and sub-ca.crt to the subca machine??
The intermediateCA send a request to the CA. In the same way the server sends a signing request to the Intermediate CA/ The files are transferred to and from the signing authorities
@@theurbanpenguin What I'm saying is that he is locally referencing directories from the same machine in that command. But in a real situation we would have the rootCA on a different machine thus making that command not work
what a great explanation thank you so much!
Another diamond 💎. Thanks a lot.
My pleasure 😊
Thank you for this excellent explanation on buiding CA/Inter/Server certs with OpenSSL, can you provide an update that includes the use of Subject Alternate Names?
Quality mate keep it up
would you mind answering whether i need a new vm for the intermediateCA? how do i keep the rootCA offline if the intermediate is in the same vm?
One detail thats missing I can’t seem to make work - subject alternative names. I can get SANs for the server on the CSR, but after the Sub-CA signs it, they’re gone. What am I missing in sub-ca.conf? I’d like to specify multiple fqdn’s and IP addresses as SANs
This is great. Thank you.
Exact same question here.
Same issue, do you have a solution by any chance?
Have the same problem, would love to understand what is missing in the [ server_cert ] in the sub-ca.conf.
finally i understood whats the fuss about openssl
Cool
Awesome video..!
thanks for clear explanation.
It has generated the CSR in sub-root but whenever i put command to sign the csr file, I receive the following errot " wrong number of fields on line 1 (looking for field 6, got 1, '' left)
" may be any syntax error or what ?
Just had a class where we discussed PKI. Everyone (classmates and prof.) kept saying how complicated and expensive they were to implement. I knew OpenSSL existed and was wondering why a company wouldn't just do it in-house; doesn't seem that complicated (or expensive) to me... If you want a certificate for public SSL connection, sure, pay for one from one of the big vendors.
Also, can you just create different CAs for user permission levels? For instance, an intermediate CA to certify database admin keys, and another CA for database users.
You know your stuff !
Thank you very much for this such a great video. The comments too are very much helpful. I have one query in this. With the server all set with private key and certificate how does the server sends the public key to the clients and how does that show up in the communication.
11:06 I had to use "-newkey" instead of "- - newkey". Didn't dig into why this is, but thought it'd be worth putting here for someone else.
Amazing tutorial!! If possible can you make a tutorial about cfssl?
Nice vide, TNX
Dear Andrew, you are not using alt_names and you're using one domain name as a Common Name. What if I want to use hostname, localhost, IP address ... in addition to the domain name?
extend the subject with alt_names or create a configuration file
amazing ! thank you
hi there, qq why did you switch to the root user?can't this tutorial be done as an unprivileged user?if yes then why not show the viewers how to do it as non root and it's also good practice
Hallo ,
Why there is no "buy me Coffee" button here. You deserve one and for all your videos. Please consider it.
What happens when the expiry time is like 10K years?
PS: I followed the whole tutorial. Thanks for the detailed info to demystify the CA certs thing!
Super
Thank you
"Does anyone need a coffee?" - "I certaintly do"
LOL
Thanks
No problem
👍
Like.
11:14