Hello friends,

Just about every guide that comes up on my Google search for “How to create certificate authority with OpenSSL” seems to be out-of-date. Particularly, they all guide me towards creating a certificate that gets rejected by the browser due to the “Common Name” field deprecation, and the requirement of “Subject Alternative Name” field.

Does someone know a tool that creates a Certificate Authority and signs certificates with that CA? A tool that follows modern standards, gets accepted by browsers and other common web tools. Preferably something based on OpenSSL.

If you know a guide that does this using OpenSSL, even better! But I have low hopes for this after going through dozens of guides all having the same issue I mentioned above.

Replies to Some Questions you Might Ask Me

Why not just correct those two fields you mention?

I want to make sure I am doing this right. I don’t want to keep running into errors in the future. For example, I actually did try that, and npm CLI rejected my certs without a good explanation (through browser accepts it).

Why not Let’s Encrypt?

This is for private services that are only accessible on a private network or VPN

If this is for LAN and VPN only services, why do you need TLS?

TLS still has benefits. Any device on the same network could still compromise the security of the communication without TLS. Examples: random webcam or accessory at your house, a Meta Quest VR headset, or even a compromised smartphone or computer.

Use small step CA (or other ACME tools)

I am not sure I want the added complexity of this. I only have 2 services requiring TLS now, and I don’t believe I will need to scale that much. I will have setup a way to consume the ACME server. I am happier with just a tool that spits out the certificates and I manage them that way, instead of a whole service for managing certs.

If I am over estimating the difficulty for this, please correct me.

  • AbidanYre@lemmy.world
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    1
    ·
    edit-2
    9 months ago

    This is for private services that are only accessible on a private network or VPN

    Even in that case, LE may still be easier than adding a new CA to every device that needs to talk to your services.

    At least, it was for me running vault warden.

    • matcha_addict@lemy.lolOP
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      9 months ago

      Would that even work? Pointing my domain to a 192 IP address? I don’t see how that would work.

      • Victoria@lemmy.blahaj.zone
        link
        fedilink
        English
        arrow-up
        7
        ·
        9 months ago

        You can use a DNS challenge to show you are in control of the domain without having anything exposed to the net. Essentially LE gives you a special value you have to add as a TXT DNS entry. LE will check if this record exists for your domain, and gives you a certificate, no public IP involved. This even allows you to create wildcard certificates.

        • PlexSheep@feddit.de
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          Yeah, but you’d need to own a public domain and use it for your LAN, no? Or would it be possible to get a letsencrypt certificate for example.local?

          • tburkhol@lemmy.world
            link
            fedilink
            English
            arrow-up
            6
            ·
            9 months ago

            I recently moved my internal network to a public domain. [random letters].top was $1.60 at porkbun, and now I can do DNSSEC and letsencrypt. I added a pre-hook to LE’s renew that briefly opens the firewall for their challenges, but now I’m going to have to look at the DNS challenge.

            Almost everything I do references just hostname, with dns-search supplied by dhcp, so there was surprisingly little configuration to change when I switched domains.

            • lemmyvore@feddit.nl
              link
              fedilink
              English
              arrow-up
              1
              ·
              9 months ago

              In order to automate the DNS challenge the LE bot needs the DNS server to have an API and needs an API access token. See if your DNS service is among the ones supported.

            • TCB13@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              9 months ago

              How are you dealing with mDNS and your custom domain? Isn’t it causing… issues and mismatches?

              • tburkhol@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                9 months ago

                Haven’t noticed any issues, but I’m not intentionally using mDNS. dhcpd tells all the clients where the nameserver is and issues ddns updates to bind, so I haven’t needed any of the zero-config stuff. I did disable avahi on a linux server, but that was more because it was too chatty than caused any actual problems. I wouldn’t think there would be any more issues between mDNS and a fake domain than between mDNS and a real, big-boy domain on the same network.

                • TCB13@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  9 months ago

                  “Big boy domains” on a network aren’t very easy to deal with. For instance sometimes you’ve devices in your network running DNS queries for your devices and they end up leaking to the outside because well… they’re FQDN… I also have experience mDNS issues due to some reason it seems to slow down a lot once you’re not using .local as your domain as well.

        • matcha_addict@lemy.lolOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 months ago

          Would this work offline? Say a device only has access to LAN; no outside access. Can it still verify correctly?

          • lemmyvore@feddit.nl
            link
            fedilink
            English
            arrow-up
            3
            ·
            9 months ago

            The verification part is done by the LE server with your DNS server so that’s not a problem. But you need to connect to the internet to launch the renewal process and to get the new certificates.

      • ryper@lemmy.ca
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        Like the other commenter said, you can use Let’s Encrypt without needing to expose anything on your network to the internet. I set it up on my network a couple of weeks ago using this guide; I couldn’t get caddy to work with duckdns but it worked with Cloudflare without any trouble.

          • ryper@lemmy.ca
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            9 months ago

            The article sounds like you could have the A records on a local DNS service like Unbound or Pi-hole instead of public DNS. I guess maybe they just need to be defined somewhere that they’ll resolve for your Caddy instance.