Home Network Cert Authority
The Home Lab post includes some web pages running on my home network at https://apollo.lan/, using the https protocol like websites on the internet.
The s in https stands for “secure”, and means the web server is serving pages secured by the website’s transport level security (TLS) certificate. Your computer reads this certificate from the website when it makes its initial connection.
The certificate then has two purposes,
decrypting the contents sent by the host server after they reach you
guaranteeing the contents were sent by the host server that you asked for
A web browser’s address bar will display a lock icon when a website is secured by TLS.
A “Certificate is valid” or “Certificate details” button will show you the domain it secures and when it expires.
“Issued by” is the issuing certificate authority.
Domain Integrity
The domain of a website is its name in the address bar, like “john-todd.com” or “apollo.lan”. Domain integrity means the TLS certificate guarantees no computer on the internet (or home/office network) can serve content from that domain unless they really own it.
The way this works is,
TLS certificates are stacked (chained) one after another in a certificate file. The web browser can confirm each certificate in the chain is really a child of the one before it.
TLS certificates are issued by certificate authorities, companies whose job is verifying they only issue certificates to actual domain owners.
The certificate chain will include the certificate from the cert authority and the certificate for the website domain.
Computers ship with a folder full of cert authority certificates, called a trust cert store, and only trust certificate chains that start with a certificate from the trust cert store.
You probably already realize I may own “john-todd.com”, but there’s no way I own “apollo.lan”. So how to get a certificate for a domain you don’t own?
Generate a DES3 private key the cert authority will use to generate certificates
openssl genrsa -des3 -out myCA.key 2048
Use the DES3 key to generate an x509 certificate that will become our root certificate
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem cp myCA.pem ToddReadyMixCA.pem
Generate a private key for an apollo.lan TLS certificate
openssl genrsa -out apollo.lan.key 2048
Generate a certificate signing request for apollo.lan, from its private key
openssl req -new -key apollo.lan.key -out apollo.lan.csr
Use the DES3 private key and the apollo.lan certificate signing request to generate a TLS certificate that can only have come from our cert authority, and only be used with the same key that generated the certificate signing request
openssl x509 -req -in apollo.lan.csr -CA ToddReadyMixCA.pem -CAkey myCA.key -CAcreateserial -out apollo.lan.crt -days 365 -sha256 -extfile apollo.lan.ext
Chain the apollo.lan TLS certificate with the cert authority root certificate in one certifcate file
cat apollo.lan.crt ToddReadyMixCA.pem >apollo.lan.fullchain.crt
Set up your own Certificate Authority
This deliciousbrains.com example had every step I needed:
Trusting your Cert Authority
After setting up a cert authority and issuing some certificates, you need to add your root certifcate to your computer’s trust certificate store. Copy the root certificate file to your computer, then run a command to execute the update.
$ sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" ToddReadyMixCA.pem
$ cd /usr/local/share/ca-certificates/ $ sudo mv ToddReadyMixCA.pem ToddReadyMixCA.crtThe root certificate successfully imported after the filename change above. The following update-ca-certificates command requires the certificates to have .crt file extensions
$ sudo update-ca-certificates -v Updating certificates in /etc/ssl/certs ... Doing .rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL ... link ToddReadyMixCA.pem -> 7f8aa668.0 ... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d ... done.
At this point you can issue certificates yourself for any domain at all. The limit to their effectiveness is computers where you control the trust cert store, but you own them so you do indeed control them too.
Windows computers, iPhones, Android phones, and other computers of all kinds will have their own procedures to import new certificates into their trust cert stores.
The example at https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/#becoming-certificate-authority also includes the commands to add root certificates to them.