Config files used in the video below... NOTE: The policy has since been changed and match is not used for the Organization name. This is because some CSRs were found to cause problems when signing, where even though the Organization name was the same, openssl generated an error saying they didn't match *** root-ca.conf *** [ ca ] # 'man ca' # Used by the ca command default_ca = CA_default [ CA_default ] # Directory and file locations dir = . certs = $dir/certs new_certs_dir = $dir/newcerts database = $dir/index serial = $dir/serial RANDFILE = $dir/private/.rand # RANDFILE is for storing seed data for random number generation # Root CA certificate and key locations certificate = $dir/certs/root-ca.crt private_key = $dir/private/root-ca.key # Default message digest, we'll opt for SHA2 256bits default_md = sha256 name_opt = ca_default cert_opt = ca_default default_days = 365 preserve = no policy = policy_strict [ policy_strict ] countryName = supplied stateOrProvinceName = supplied organizationName = supplied organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] # 'man req' # Used by the req command default_bits = 2048 distinguished_name = req_distinguished_name string_mask = utf8only default_md = sha256 # Extensions to use for -x509 x509_extensions = server_cert [ req_distinguished_name ] # Certificate signing request countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name localityName = Locality Name organizationName = Organization Name organizationalUnitName = Organizational Unit Name commonName = Common Name emailAddress = Email Address # Defaults countryName_default = GB stateOrProvinceName_default = England organizationName_default = TempLab [ v3_ca ] # ' man x509v3_config' # Extensions for root CA subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:TRUE keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ usr_cert ] # `man x509v3_config` # Extensions for client certificates basicConstraints = CA:FALSE nsCertType = client, email nsComment = "OpenSSL Generated Client Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, emailProtection [ server_cert ] # Extensions for server certificates basicConstraints = CA:FALSE nsCertType = server nsComment = "OpenSSL Generated Server Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth --- *** csr/testserver-csr.conf *** [ req ] # 'man req' # Used by the req command default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [ req_distinguished_name ] # Certificate signing request countryName = GB stateOrProvinceName = England organizationName = TempLab commonName = test.templab.lan [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = test.templab.lan IP.1 = 172.16.21.20
How come you don't have thousands subscribers and views??? This video is BY FAR the best I've found out regarding OpenSSL for PKI. Thank you sir for your video!
I've no idea what does and doesn't get view counts up these days, but at the end of the day, as long as someone finds a video useful, that's enough for me Anyway, thanks for the feedback, it's really appreciated. And glad to hear you found the video helpful
@@TechTutorialsDavidMcKone Can’t agree more with Charles! I’ve got some knowledge about certificates but not with setting up my own PKI. Always got some error and didn’t find out why. This video really helped with making the whole process much more clear. Thank you so much for your time and knowledge David 🙂
One thing I have always hated when attending training courses is how the instructors have you enter commands but never explain why. Your comments are priceless and greatly appreciated. Not only are you easy to follow but more importantly, it's easy to understand why. Thank you for putting in the time for making the videos!
As far as I'm aware a web server can only use one certificate for a website But a web server can host multiple websites, each with their own certificate
hi David ive setup a rootca and setup apache with the server certificates however im using an ip address and my browser isnt trusting the connection despite installing the rootca.crt to the web browsers certificate store. my question is do i need to setup a dns server before setting this up?
You can have a certificate based on an IP address But usually you tie it to the fully qualified domain name and add the IP address as a subject alternate name to allow you to use both And although a DNS server helps, you can also just edit the hosts file on a computer and use that to resolve the FQDN
Hi David, Also from me a big thank you for the excellent video about certificates. It helped me a lot understanding the whole process of certificate handling. I guess this detailed 1h40min+ video took you easily one day :) Thanks and enjoy your coffee :) Mark
David, I struggled for over 3-4 months to create my own CA server, thank you for sharing this knowledge and for explaining everything so well. I really appreciate your work and knowledge, greetings from Mexico
Thank you for this David! This subject is not generally covered very well in my opinion (novice) - your explanations, while somewhat lengthy, are very illuminating to me. Certificates have been a big mystery to me and all of this is very helpful. I hope to be signing some certificates soon thanks to you!
Excellent job on this video. So very helpful. the SSL world can get really complicated with Self Signed CA and Server Keys and Certificates. You've helped make it so much more clear.
Very informative video.. I have a OpenSSL query.. if you can help.. In the 'ecstresstest' I want to know the key value of 'kP256DefaultResult' if I set NUM_REPEATS equals 100 only.. can you tell me how to find that?
@Tech Tutorial, I am thinking about setting up a RootCA ubuntu server. My chrome browser has issues connecting to my internet webserver or other admin pages on the inside of my network. Certificates is still difficult to get the browser to behave right if it gets a self signed certificate. At lease the sarfai browser would give the error but does give an option to access the website. I have not had a change to view your video completely, does it cost to get a legit certificate or make my server a RootCA? I would like to make everything on my network to require https: Not being a experience Linux person, sometimes its difficult to follow all the steps. Thank you
Part of the problem with using a public certificate authority is that you need to own a domain and they need to check a server is legitimate so they would want access to a public facing server I have worked with companies that had public servers who purchased wildcard certificates to then use internally on any internal device As I don't have a public server and due to the costs, I opted for an internal root CA
Really interesting post, thanks. Its true that revocation, at least for internet browsers, is currently broken, but there are very valid use cases where it can still be useful. For the purposes of a private home lab CA this solution is perfect. Nice and simple, assuming a basic level understanding on how certificates and CA's work, and doesnt require a private CA infrastructure, which would be overkill in this situation. In a business setting though I'd really consider the security implications as this approach does ignore some of the widely accepted good practice. Also, beyond a really small implementation I'd suggest that its too labour intensive and prone to errors. If you're issuing certificates for any public facing servers then there are great solutions from the likes of Lets Encrypt, but thats a different use case. Great video.
Thanks for the feedback, really appreciated The problem with certificate revocation is it's no longer supported by the likes of Google Chrome, or at least not when it involves a private CA as they've adopted a different strategy For public use, there's certainly no gain in using something like this, especially when the whole process can now be automated So this is more for internal use as unless you have public facing servers, the validation still requires giving away private information which has never been a good idea
Content is awesome, will be trying this in my lab later this week. One improvement would be to use bigger font or zoom into the work area to read more easily.
Thanks for the feedback, it's really appreciated It's a while since I made this video but I think I tried to explain that I deliberately ignored those options The reason why is they'd fallen out of favour with web browser manufacturers Google for instance seemed to have switched over to some other mechanism where they provide the web browser with revoked certificate information rather than the web browser checking with the revocation server and that won't work for a private CA I noticed a setting in Firefox for oscp mind, but with less than 4% of the market share it didn't seem worthwhile even using that
Thank you and i am sorry its not even 17 minutes i am at deep sleep 😴😴😴 Could have just made the video 30 minutes Max. There's too much talking alot beating around bush using vector graphics. Sorry bro i don't like it tbh
I appreciate the feedback This was one of my earlier videos when the channel was just getting started Since then I've been taking on advice from folks like yourself to get better But again, thanks for taking the time to leave a comment
Thank for this great tutorial @Tech Tutorials - David McKone! Was wondering: If somehow you had problems with your ca server vm (for example upgrading linux doesn't go well) and you decide you want a new server VM, do you just install a new VM and copy over everything in /home/caadmin to the new server and all is well or is it more complicated than that?
Because it's a VM you can take a snapshot before doing any upgrades and roll it back if things go bad But if for some reason you wanted a different computer, then you can just copy across the contents across
@@TechTutorialsDavidMcKone For sure. I installed it on a minimal ubuntu machine but have been looking at NixOS also so might need to migrate at some point :) Another question: Do you always need to create a csr/device.conf if you need to create a new cert for a new device? Or is uploading the csr from the target device enough? Guess I don't understand that bit well enough. When you create a CSR for VMware vCenter for example you have to mandatory fill out all the fields anyway so don't grasp what the conf file brings you extra?
@@alphenit Web browsers like Google Chrome need a Subject Alternate Name in the certificate Even though that will probably be in the CSR, OpenSSL ignores it So you need an extra file for OpenSSL to read the SAN details from to get a signed certificate with includes the SAN
On Windows, chromium based browsers (Chrome, Brave, Edge, etc.) will recognize CA that are in the Trusted Root CA store, for firefox you will have to set security.enterprise_roots.enabled to true for firefox to recognize CA in the Trusted Root CA store
Thanks for the feedback, really appreciated Which version of Windows are you using? I double checked on a computer running Windows 10 Pro 21H2 and I just imported the certificate for Firefox as a trusted root CA Hit Ctrl-F5 and it now accepts the certificate I checked the settings and security.enterprise_roots.enabled was set to true The setting is also locked
Config files used in the video below...
NOTE: The policy has since been changed and match is not used for the Organization name. This is because some CSRs were found to cause problems when signing, where even though the Organization name was the same, openssl generated an error saying they didn't match
*** root-ca.conf ***
[ ca ]
# 'man ca'
# Used by the ca command
default_ca = CA_default
[ CA_default ]
# Directory and file locations
dir = .
certs = $dir/certs
new_certs_dir = $dir/newcerts
database = $dir/index
serial = $dir/serial
RANDFILE = $dir/private/.rand
# RANDFILE is for storing seed data for random number generation
# Root CA certificate and key locations
certificate = $dir/certs/root-ca.crt
private_key = $dir/private/root-ca.key
# Default message digest, we'll opt for SHA2 256bits
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 365
preserve = no
policy = policy_strict
[ policy_strict ]
countryName = supplied
stateOrProvinceName = supplied
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# 'man req'
# Used by the req command
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256
# Extensions to use for -x509
x509_extensions = server_cert
[ req_distinguished_name ]
# Certificate signing request
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Defaults
countryName_default = GB
stateOrProvinceName_default = England
organizationName_default = TempLab
[ v3_ca ]
# ' man x509v3_config'
# Extensions for root CA
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:TRUE
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# `man x509v3_config`
# Extensions for client certificates
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
---
*** csr/testserver-csr.conf ***
[ req ]
# 'man req'
# Used by the req command
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
# Certificate signing request
countryName = GB
stateOrProvinceName = England
organizationName = TempLab
commonName = test.templab.lan
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = test.templab.lan
IP.1 = 172.16.21.20
How come you don't have thousands subscribers and views??? This video is BY FAR the best I've found out regarding OpenSSL for PKI. Thank you sir for your video!
I've no idea what does and doesn't get view counts up these days, but at the end of the day, as long as someone finds a video useful, that's enough for me
Anyway, thanks for the feedback, it's really appreciated. And glad to hear you found the video helpful
@@TechTutorialsDavidMcKone Can’t agree more with Charles! I’ve got some knowledge about certificates but not with setting up my own PKI. Always got some error and didn’t find out why. This video really helped with making the whole process much more clear. Thank you so much for your time and knowledge David 🙂
That's really good to know so thanks for the feedback
One thing I have always hated when attending training courses is how the instructors have you enter commands but never explain why. Your comments are priceless and greatly appreciated. Not only are you easy to follow but more importantly, it's easy to understand why. Thank you for putting in the time for making the videos!
Thanks for the feedback
And good to know the video was helpful
I already have servers with IIS and paid SSL Certificate does implementing OpenSSL effect the certificate on those servers?
As far as I'm aware a web server can only use one certificate for a website
But a web server can host multiple websites, each with their own certificate
hi David ive setup a rootca and setup apache with the server certificates however im using an ip address and my browser isnt trusting the connection despite installing the rootca.crt to the web browsers certificate store. my question is do i need to setup a dns server before setting this up?
You can have a certificate based on an IP address
But usually you tie it to the fully qualified domain name and add the IP address as a subject alternate name to allow you to use both
And although a DNS server helps, you can also just edit the hosts file on a computer and use that to resolve the FQDN
Добрый день! Класс, все получилось! Спасибо Вам большое!
Good to know the video helped.
Thanks for the feedback
Hi David,
Also from me a big thank you for the excellent video about certificates. It helped me a lot understanding the whole process of certificate handling. I guess this detailed 1h40min+ video took you easily one day :)
Thanks and enjoy your coffee :)
Mark
Thanks very much Mark
It's greatly appreciated
David, I struggled for over 3-4 months to create my own CA server, thank you for sharing this knowledge and for explaining everything so well. I really appreciate your work and knowledge, greetings from Mexico
openSSL can be confusing to use as a CA but it's very useful for internal use
So glad to hear the video was helpful
Thank you for your effort to provide a great resource on openssl !! It helped me immensely to make my private network more secure.
Thanks for the feedback, always appreciated
And good to hear you found the video helpful
Thank you for this David! This subject is not generally covered very well in my opinion (novice) - your explanations, while somewhat lengthy, are very illuminating to me. Certificates have been a big mystery to me and all of this is very helpful. I hope to be signing some certificates soon thanks to you!
Thanks for the feedback, much appreciated
Good to know the video has been helpful
Excellent job on this video. So very helpful. the SSL world can get really complicated with Self Signed CA and Server Keys and Certificates. You've helped make it so much more clear.
Thanks for the feedback, always appreciated
Very informative video.. I have a OpenSSL query.. if you can help.. In the 'ecstresstest' I want to know the key value of 'kP256DefaultResult' if I set NUM_REPEATS equals 100 only.. can you tell me how to find that?
I haven't done any stress testing so I can't help unfortunately
@Tech Tutorial, I am thinking about setting up a RootCA ubuntu server. My chrome browser has issues connecting to my internet webserver or other admin pages on the inside of my network. Certificates is still difficult to get the browser to behave right if it gets a self signed certificate. At lease the sarfai browser would give the error but does give an option to access the website. I have not had a change to view your video completely, does it cost to get a legit certificate or make my server a RootCA? I would like to make everything on my network to require https: Not being a experience Linux person, sometimes its difficult to follow all the steps.
Thank you
Part of the problem with using a public certificate authority is that you need to own a domain and they need to check a server is legitimate so they would want access to a public facing server
I have worked with companies that had public servers who purchased wildcard certificates to then use internally on any internal device
As I don't have a public server and due to the costs, I opted for an internal root CA
Really interesting post, thanks. Its true that revocation, at least for internet browsers, is currently broken, but there are very valid use cases where it can still be useful. For the purposes of a private home lab CA this solution is perfect. Nice and simple, assuming a basic level understanding on how certificates and CA's work, and doesnt require a private CA infrastructure, which would be overkill in this situation. In a business setting though I'd really consider the security implications as this approach does ignore some of the widely accepted good practice. Also, beyond a really small implementation I'd suggest that its too labour intensive and prone to errors. If you're issuing certificates for any public facing servers then there are great solutions from the likes of Lets Encrypt, but thats a different use case. Great video.
Thanks for the feedback, really appreciated
The problem with certificate revocation is it's no longer supported by the likes of Google Chrome, or at least not when it involves a private CA as they've adopted a different strategy
For public use, there's certainly no gain in using something like this, especially when the whole process can now be automated
So this is more for internal use as unless you have public facing servers, the validation still requires giving away private information which has never been a good idea
Very nice video
Thanks for the feedback
Great Video! I have implemented Internal certificate Authority in our environment. It is working well. Good explanation. Once again, thank you.
That's great to hear. I really appreciate the feedback
Content is awesome, will be trying this in my lab later this week. One improvement would be to use bigger font or zoom into the work area to read more easily.
Thanks for the feedback it's really appreciated
you missed a big part in configuration - crls or ocsp setup. Otherwise good.
Thanks for the feedback, it's really appreciated
It's a while since I made this video but I think I tried to explain that I deliberately ignored those options
The reason why is they'd fallen out of favour with web browser manufacturers
Google for instance seemed to have switched over to some other mechanism where they provide the web browser with revoked certificate information rather than the web browser checking with the revocation server and that won't work for a private CA
I noticed a setting in Firefox for oscp mind, but with less than 4% of the market share it didn't seem worthwhile even using that
Thank you and i am sorry its not even 17 minutes i am at deep sleep 😴😴😴 Could have just made the video 30 minutes Max. There's too much talking alot beating around bush using vector graphics. Sorry bro i don't like it tbh
I appreciate the feedback
This was one of my earlier videos when the channel was just getting started
Since then I've been taking on advice from folks like yourself to get better
But again, thanks for taking the time to leave a comment
Thank for this great tutorial @Tech Tutorials - David McKone!
Was wondering: If somehow you had problems with your ca server vm (for example upgrading linux doesn't go well) and you decide you want a new server VM, do you just install a new VM and copy over everything in /home/caadmin to the new server and all is well or is it more complicated than that?
Because it's a VM you can take a snapshot before doing any upgrades and roll it back if things go bad
But if for some reason you wanted a different computer, then you can just copy across the contents across
@@TechTutorialsDavidMcKone For sure. I installed it on a minimal ubuntu machine but have been looking at NixOS also so might need to migrate at some point :)
Another question: Do you always need to create a csr/device.conf if you need to create a new cert for a new device? Or is uploading the csr from the target device enough?
Guess I don't understand that bit well enough. When you create a CSR for VMware vCenter for example you have to mandatory fill out all the fields anyway so don't grasp what the conf file brings you extra?
@@alphenit Web browsers like Google Chrome need a Subject Alternate Name in the certificate
Even though that will probably be in the CSR, OpenSSL ignores it
So you need an extra file for OpenSSL to read the SAN details from to get a signed certificate with includes the SAN
@@TechTutorialsDavidMcKone ah I see now, thank you, subscribed!
In your video at 50:00 you reference a root-ca.conf file. Where to locate this file? I do not see it in my ca folder. thank you
It's the base config file for the Root CA server and you have to create this
Check my pinned comment for this as the description wouldn't accept it
@@TechTutorialsDavidMcKone Where can this 'pinned comment' be found? I must be overlooking it...
@@nonkelsue Not sure if I forgot to pin it but it is now, so it's at the top of the comments
@@TechTutorialsDavidMcKone Thanks David! Appreciated!
On Windows, chromium based browsers (Chrome, Brave, Edge, etc.) will recognize CA that are in the Trusted Root CA store, for firefox you will have to set security.enterprise_roots.enabled to true for firefox to recognize CA in the Trusted Root CA store
Thanks for the feedback, really appreciated
Which version of Windows are you using?
I double checked on a computer running Windows 10 Pro 21H2 and I just imported the certificate for Firefox as a trusted root CA
Hit Ctrl-F5 and it now accepts the certificate
I checked the settings and security.enterprise_roots.enabled was set to true
The setting is also locked
@@TechTutorialsDavidMcKone I'm also on Windows 10