software:openssl:internalca:lan
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| software:openssl:internalca:lan [2025/10/25 03:08] – removed - external edit (Unknown date) 127.0.0.1 | software:openssl:internalca:lan [2025/10/25 03:25] (current) – ↷ Links adapted because of a move operation rodolico | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ====== LAN SSL Certificates ====== | ||
| + | |||
| + | <WRAP center round important 60%> | ||
| + | The procedures described here are generally used for local networks. In only limited cases would this be useful for any public service. For example, you would not use this to secure your public web/ | ||
| + | </ | ||
| + | |||
| + | |||
| + | Most SSL Certificates are used on public facing devices and are provided by large organizations which specialize in this. For example, this web site uses an SSL certificate provided by [[https:// | ||
| + | |||
| + | In many cases it is useful to have SSL certificates in your Local Area Network (LAN), and these can not readily be provided by the public SSL organizations. They are designed for situations where you can prove ownership of a publicly visible service, like a web site or mail server. | ||
| + | |||
| + | There are a few companies which provide a service for internal networks, but the cost generally exceeds what most businesses are willing to spend, and as an alternative, | ||
| + | |||
| + | We will use openssl to generate the CA's and Server Certificates. The following articles walk you through doing this. Since, at [[https:// | ||
| + | <code bash>svn co http:// | ||
| + | |||
| + | **Note**: openssl has a built in command, ca, which was written as a sample minimal CA application. I chose not to use that since our needs (a dozen services, at most) and due to the warnings at the bottom of the man page (man 1 openssl-ca). | ||
| + | |||
| + | I have attempted to create a system which uses the recommended steps for such a small setup as of Fall 2025. You may find other articles saying to do things a different way. For example, an RSA private key can be created with any of these commands: | ||
| + | * openssl genrsa | ||
| + | * openssl req (with the -newkey parameter) | ||
| + | * openssl genpkey | ||
| + | I chose to go with //openssl genpkey// as that is the recommended way as of this date. But, be aware, there are multiple ways to achieve the result using openssl. | ||
| + | |||
| + | ===== Basic Procedure ===== | ||
| + | |||
| + | The steps to implementing a private, LAN based set of certificates is fairly straight forward. | ||
| + | |||
| + | - Install OpenSSL on a computer | ||
| + | - Almost all Unix systems (Linux, BSD, MacOS) have it pre-installed | ||
| + | - Windows systems, I'm not sure about since it is a cracker paradise. I'll try to put whatever I can find in [[software: | ||
| + | - [[software: | ||
| + | - [[software: | ||
| + | - [[software: | ||
| + | - For each service you need secure | ||
| + | - [[software: | ||
| + | - Copy the site certificate files to the servers containing the service | ||
| + | |||
| + | At this point, you should be able to access all services using SSL (https, smtps, ftps, imaps). | ||