This guide provides step-by-step instructions for generating and applying self-signed certificates for internal services using a local Certificate Authority (CA). Follow these steps to securely manage certificates for your homelab services.
All files related to the local CA are organized into the following directories:
/etc/local-ca/san-configs//etc/local-ca/private//etc/local-ca/csr//etc/local-ca/certs//etc/local-ca/ca/Keeping this structure ensures consistency and easy management.
Navigate to the configuration directory:
cd /etc/local-ca/san-configs/
Create a configuration file for the service (replace <SERVICE_NAME> with the service name, e.g., vaultwarden):
sudo nano /etc/local-ca/san-configs/<SERVICE_NAME>.cnf
Add the following configuration, replacing placeholders with appropriate values:
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
[dn]
C = US
ST = NV
L = Las Vegas
O = KeepItTechie
OU = IT Department
CN = <SERVICE_NAME>.lan
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = <SERVICE_NAME>.lan
DNS.2 = www.<SERVICE_NAME>.lan
Save and exit the file:
Press CTRL+O, Enter, and CTRL+X.
Generate a private key and CSR using the configuration file:
openssl req -new \
-newkey rsa:2048 -nodes \
-keyout /etc/local-ca/private/<SERVICE_NAME>.lan.key \
-out /etc/local-ca/csr/<SERVICE_NAME>.lan.csr \
-config /etc/local-ca/san-configs/<SERVICE_NAME>.cnf
Files created:
/etc/local-ca/private/<SERVICE_NAME>.lan.key/etc/local-ca/csr/<SERVICE_NAME>.lan.csrUse the CA to sign the CSR and create the certificate:
openssl x509 -req \
-in /etc/local-ca/csr/<SERVICE_NAME>.lan.csr \
-CA /etc/local-ca/ca/ca.crt \
-CAkey /etc/local-ca/private/lan.key.pem \
-CAcreateserial \
-out /etc/local-ca/certs/<SERVICE_NAME>.lan.crt \
-days 365 -sha256 \
-extfile /etc/local-ca/san-configs/<SERVICE_NAME>.cnf \
-extensions req_ext
Files created:
/etc/local-ca/certs/<SERVICE_NAME>.lan.crtEdit the NGINX configuration file for the service:
sudo nano /etc/nginx/sites-available/<SERVICE_NAME>.conf
Update the ssl_certificate and ssl_certificate_key paths:
ssl_certificate /etc/local-ca/certs/<SERVICE_NAME>.lan.crt;
ssl_certificate_key /etc/local-ca/private/<SERVICE_NAME>.lan.key;
Save and exit.
Test the NGINX configuration:
sudo nginx -t
Reload NGINX to apply the changes:
sudo systemctl reload nginx
Test the service using curl:
curl -v https://<SERVICE_NAME>.lan --cacert /etc/local-ca/ca/ca.crt
Check certificate details:
openssl x509 -in /etc/local-ca/certs/<SERVICE_NAME>.lan.crt -text -noout
Verify that:
CN = <SERVICE_NAME>.lan.Ensure the CA certificate (/etc/local-ca/ca/ca.crt) is trusted on all client devices:
Linux:
sudo cp /etc/local-ca/ca/ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
macOS:
Windows:
certmgr.msc./etc/local-ca/private/<SERVICE_NAME>.lan.key/etc/local-ca/csr/<SERVICE_NAME>.lan.csr/etc/local-ca/certs/<SERVICE_NAME>.lan.crt/etc/local-ca/san-configs/<SERVICE_NAME>.cnfBy following these steps, you can generate and manage self-signed certificates for internal services, ensuring secure connections within your environment. Make sure the CA certificate is trusted on all devices to avoid connection warnings.