Create and deploy internally trusted SSL certificate for local networks

From Fvettore-WIKI
Revision as of 11:56, 22 July 2025 by Administrator (talk | contribs)

purpose

Create trusted SSL sites on the local network. For example: [1](https://clusterman.cifarelli.loc/)

implementation

Create a local CA

Generate the CA key. Add a password that will be required for each certificate signing. Keep the password and files in a safe location as they will be used to generate certificates 

openssl genrsa -des3 -out cifarelliCA.key 4096

Generate a CA certificate for deployment on clients 

openssl req -x509 -new -nodes -key cifarelliCA.key -sha256 -days 3650 -out cifarelliCA.crt

issue server certificate

See the new version below
Generate key: openssl genrsa -out clusterman.key 2048 Generate certificate signing request:

  openssl req -new -key clusterman.key -out clusterman.csr Sign the certificate with the CA key and certificate  openssl x509 -req -in clusterman.csr -CA cifarelliCA.crt -CAkey cifarelliCA.key -CAcreateserial -out clusterman.crt -days 3650 -sha256

deploy CA certificate to clients

This can be done via GPO.
Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies, right-click Trusted Root Certification Authorities and select Import

issue certificate for Windows IIS server

Only the .pfx file containing CA, key, and certificate can be imported. To generate it: 

openssl pkcs12 -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac -export -out cifarelli.loc.pfx -inkey cifa.key -in cifa.crt --certfile cifarelliCA.crt

The options -certpbe, -keypbe, and -nomac are added for compatibility with older Windows systems. Otherwise, they are not needed.

issue server certificate NEW VERSION

Certificates issued as above are no longer accepted by browsers. Starting from more recent versions, it is necessary that the DN be included in the **alternative names**.
You need to set up a configuration file 

[req]  
distinguished_name = req_distinguished_name  
req_extensions = req_ext  
prompt = no  

[req_distinguished_name]  
C = IT  
ST = Lombardy  
L = Pavia  
O = CIFARELLI Spa  
OU = IT labs  
CN = cifarelli.loc  

[v3_req]  
keyUsage  = critical, nonRepudiation, digitalSignature, keyEncipherment  
extendedKeyUsage = critical, serverAuth  
subjectAltName = @alt_names  
subjectAltName = @alt_names  

[req_ext]  
subjectAltName = @alt_names  

[alt_names]  
DNS.1 = *.cifarelli.loc

Here are the next steps collected in a bash script *genera.sh*: 

#!/bin/bash  
#Create private key  
openssl genrsa -out ${1}.key 2048  
#Create CSR  
openssl req -new -key ${1}.key -out ${1}.csr -config ./req.conf  
#Sign and release final certificate  
openssl x509 -req -in ${1}.csr -CA ./cifarelliCA.crt -CAkey ./cifarelliCA.key -CAcreateserial -extfile ./req.conf -extensions v3_req -out ${1}.crt -days 3650 -sha256

By running the following command: 

./genera.sh certificatename

you will generate certificatename.key certificatename.csr certificatename.crt

Retrieved from "http://10.99.0.100:8087/index.php?title=Create_and_deploy_internally_trusted_SSL_certificate_for_local_networks&oldid=111"