Internal network with TLS / HTTPS connections - Self signed certificates (CA)

Installing the trusted self signed certificate on different OS's

-----------------------------------------------------------------

Mac OS X: sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/new-root-certificate.crt
Remove Use command: sudo security delete-certificate -c "<name of existing certificate>"

Windows: certutil -addstore -f "ROOT" new-root-certificate.crt
Remove    Use command: certutil -delstore "ROOT" serial-number-hex

Linux (Ubuntu, Debian): 
Copy your CA: sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt
Update the CA store: sudo update-ca-certificates
Remove    Remove your CA. Update the CA store: sudo update-ca-certificates --fresh

Linux (CentOs 6): 
Install the ca-certificates package: yum install ca-certificates
Enable the dynamic CA configuration feature: update-ca-trust force-enable
Add it as a new file to /etc/pki/ca-trust/source/anchors/: cp foo.crt /etc/pki/ca-trust/source/anchors/
Use command: update-ca-trust extract
Linux (CentOs 5)
Append your trusted certificate to file /etc/pki/tls/certs/ca-bundle.crt
cat foo.crt >>/etc/pki/tls/certs/ca-bundle.crt

Suse
Copy your CA to dir /etc/pki/trust/anchors/:  sudo cp foo.crt /etc/pki/trust/anchors/foo.crt
Update the CA store: sudo update-ca-certificates

====================================================================

Create a self signed certificate for a specific host in you network (like internal website/webserver)

----------------------------------------------------------------------------------------------------------

vi /root/SelfSigned_request.cnf
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = NL
ST = NB
L = <City>
O = Unix4Life
OU = Admins
CN = <YOUR IP ADDRESS OF THE WEBSERVER TO CONNECT !!!>
[v3_req]
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = unix4life
IP.1 = <AGAIN THE SAME IP ADDRESS>

###openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -sha256 -keyout /etc/ssl/private/ss-unix4life.key -out /etc/ssl/certs/ss-unix4life.crt -config /root/SelfSigned_request.cnf
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -sha256 -keyout /etc/ssl/private/ss-unix4life.key -out /etc/ssl/certs/ss-unix4life.crt -config /root/SelfSigned_request.cnf

 

Add the next Apache site-config to your current configuration:

vi /etc/apache2/sites-available/internal-external-ssl.conf (add with a ServerName 192.168.178.2)
<VirtualHost *:443>
        ServerName <AGAIN THE IP ADDRESS>
        ServerAdmin webmaster@localhost
        DocumentRoot /usr/local/nagios/share
        ErrorLog ${APACHE_LOG_DIR}/error2.log
        #CustomLog ${APACHE_LOG_DIR}/access2.log combined
        SSLEngine on
        SSLCertificateFile      /etc/ssl/certs/ss-unix4life.crt
        SSLCertificateKeyFile   /etc/ssl/private/ss-unix4life.key
        Protocols h2 http/1.1
        Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>

optional:
a2dissite 000-default-le-ssl.conf   => disable the old config
a2ensite internal-external-ssl.conf  => enable the new config

cp -p /etc/ssl/certs/ss-unix4life.crt /usr/local/share/ca-certificates/ss-unix4life.crt
update-ca-certificates

systemctl stop apache2
systemctl start apache2

cp -p /etc/ssl/certs/ss-unix4life.crt /tmp/
Upload the ss-unix4life.crt to any device/PC

 

  If you like my website, feel free to donate via the Paypal button. Thank you!