Homelab

914 readers

2 users here now

Rules

Be Civil.
Post about your homelab, discussion of your homelab, questions you may have, or general discussion about transition your skill from the homelab to the workplace.
No memes or potato images.
We love detailed homelab builds, especially network diagrams!
Report any posts that you feel should be brought to our attention.
Please no shitposting or blogspam.
No Referral Linking.
Keep piracy discussion off of this community

founded 2 years ago

MODERATORS

communick@selfhosted.forum

rglullis@communick.news

Finally using SSL certs on my local services, no more HTTPS warnings. Someone appreciate because my GF could care less (alien.top)

submitted 2 years ago by -my_reddit_username-@alien.top to c/homelab@selfhosted.forum

47 comments fedilink hide all child comments

I love my homelab, and the more I tune things the more satisfaction I have. I tolerated the "Your connection is not private" for my self-signed SSL certs on my services for way too long.

I just setup NGINX Proxy Manager as a LXC on my Proxmox Server and pointed a subdomain I own to the server. Now I have custom domains for each service along with valid SSL Certificates. It's all local without exposing anything to the outside world. It's very satisfying. I tried explaining what I was doing to my GF but she could care less ¯\_(ツ)_/¯

Followed this video from Wolfgang's Channel YouTube (great channel btw), the first minute does a better job explaining the setup. I always thought I would have to setup a local CA which is more work than I was interested in, but this approach was much simpler (and free!).

you are viewing a single comment's thread
view the rest of the comments

[–] hadrabap@alien.top 0 points 2 years ago (4 children)

No, it is not so difficult. But you need a bit of planning.

First of all, you need a way to distribute your ROOT certificate to your clients. That's more a question of automation.

Second, you need to prepare the topology with certain rules. Things like dedicated certificates for people (identity), services (server certificates for dedicated subdomains), machine clients (for mTLS and zero-trust), infrastructure stuff like BMC/IPMI, UPS, routers...

Basically, the rules are:

Self signed ROOT certificate
Intermediate CA (signing certificate)
(Optional) signing certificate

In case of multiple (dedicated) certificates, you want to make the split at the intermediate/signing level. The chain will help you enforce the rules.

You should decide which algorithm to use (RSA vs. ECC).

Finally, you need a piece of software that will create and sign the certificates for you. This software must authenticate you and check your request if it comforms to the rules above.

I'm using multiple instances of step-ca. Most of the famous certificate management solutions (the service side asking your authority for a certificate, including rekeying/renewal) support it. Which is good. Standard protocols are always better than in-house ~solutions~ workarounds.

To start building your CA:

Learn about PKI (good start is RFC-5280
Learn OpenSSL, how to deal with openssl.conf, sections, ASN.1
If you need additional information on the certificate, register for your own Private Enterprise Number. Do not abuse existing attributes!
Prepare HTTP (plain HTTP, no TLS) server to serve your intermediate/signing certificates (for AIA protocol) and CRL (for validation)
Put your intermediate/signing key/certificate to step-ca as a ROOT and you're good to go.

You can also incorporate HSM if you have one. Just configure its pkcs11 module in the OpenSSL and in the step-ca.

As it is quite a complex topic, feel free to drop additional questions. 👍

[–] Simon-RedditAccount@alien.top 1 points 2 years ago

Finally! A ~~worth opponent~~ fellow who also cares about having proper OIDs and AIA :)

[–] steezy280@alien.top 0 points 2 years ago (1 children)

Thank you, I’m actually currently building my CA. Planning for an offline root. Question, what free or not enterprise prices software options are there? I have entrust at work, looking for something I can use at home.

[–] EODdoUbleU@alien.top 0 points 2 years ago (2 children)

For my Root I use OpenSSL with the pkcs11 module to keep the keys on a Yubikey, then I use Step CA as an intermediate/issuing.

[–] Simon-RedditAccount@alien.top 1 points 2 years ago

Planning to use Yubikey for one of my subCAs. Do you know a good writeup on OpenSSL+Yubikeys?

Also, which Yubikey slot do you use for storing the cert/pkey?

[–] hadrabap@alien.top 0 points 2 years ago (1 children)

Ha! You run the same stack as I do. 🙂

[–] Simon-RedditAccount@alien.top 1 points 2 years ago

I asked EODdoUbleU on the parent comment here, but could you please reply to that question as well?

[–] EODdoUbleU@alien.top 0 points 2 years ago (1 children)

Prepare HTTP (plain HTTP, no TLS) server to serve your intermediate/signing certificates (for AIA protocol) and CRL (for validation)

Or create a repository on Github, point ca.yourdomain.com to Github Pages and publish there. Doing this solves the PKI chicken-and-egg problem for a homelab and doesn't tie up any resources to serve them.

[–] hadrabap@alien.top 1 points 2 years ago

HTTP! Not HTTPS! No chicken and egg problem here.

[–] LogosLine@alien.top 0 points 2 years ago (1 children)

"not so difficult"

Well thanks, I feel like a complete moron, because that's a level of complexity way beyond what I could do/manage.

[–] lestrenched@alien.top 1 points 2 years ago

It's a bunch of terms I don't know about, but I don't think it's very hard after you learn a bit more and understand the reasoning behind the steps.

I'd personally not want to host a personal CA without HA though, so I suppose I'm sticking with EFF for this one