OpenSSL

• https://net-security.fr/security/openssl-formats-cheat-sheet/
• https://connect.ed-diamond.com/Linux-Pratique/lp-123/les-certificats-de-l-emission-a-la-revocation
• Gestion pratique des certificats avec OpenSSL

sudo apt install libnss3-tools
 
sudo cp homelab.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
sudo chmod a+r /usr/local/share/ca-certificates/

Pour que le certificat soit aussi reconnu dans Firefox et Thunderbird, il faut exécuter le script suivant (source) :

sudo apt install libnss3-tools  # pour certutil
 
readonly certificateFile="/usr/local/share/ca-certificates/homelab.crt"
readonly certificateName="Homelab"
 
find ~/.mozilla* ~/.thunderbird -name "cert9.db" | while read -r certDB
do
  certDir=$(dirname "${certDB}");
  echo "install '${certificateName}' in ${certDir}"
  certutil -A -n "${certificateName}" -t "TCu,Cuw,Tuw" -i ${certificateFile} -d ${certDir}
done

• Obtenir un certificat auto-signé à partir de sa propre autorité de certification

openssl genrsa -out server.key 1024

CSR: Certificate Signing Request

openssl req -new -key server.key -out server.csr

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
# ou
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes # génère un .pem

Source

openssl x509 -req -in myserver.csr -out myserver.crt -CA superfish.pem -CAkey superfish.key -CAcreateserial -CAserial mysuperfish.srl

sudo openssl s_server -accept 443 -cert server.pem

• -WWW sert les fichiers présents dans le dossier courant
• -key <private key>: permet de spécifier la clé privée
• -cert <certificate.crt>: permet de spécifier le certificat du serveur

openssl s_client -connect 192.168.12.1:443

Permet d'obtenir le certificat du serveur (entre les balises CERTIFICATE) et d'interagir ensuite avec le serveur (appuyer deux fois sur ENTREE !)

Source

openssl x509 -noout -dates -in cert.pem

• Openssl : Création d'une Autorité de Certification interne et de Certificats Clients
• PKI in Homelabs - How Do You Manage Internal Certificates?
• https://www.certwarden.com/, https://smallstep.com/docs/step-ca/getting-started/
• mkcert
• Create Your Own Certificate Authority (CA) for Homelab Environment

• Building Your Own PKI with Step-CA – From Root CA to Proxmox Integration with ACME
• Build a Tiny Certificate Authority For Your Homelab
• Setup an internal homelab PKI and get valid HTTPS certificates using step
• https://smallstep.com/docs/step-ca/certificate-authority-server-production/#running-step-ca-as-a-daemon

sudo curl -fsSL https://packages.smallstep.com/keys/apt/repo-signing-key.gpg -o /etc/apt/trusted.gpg.d/smallstep.asc && \
    echo 'deb [signed-by=/etc/apt/trusted.gpg.d/smallstep.asc] https://packages.smallstep.com/stable/debian debs main' \
    | sudo tee /etc/apt/sources.list.d/smallstep.list
sudo apt update
sudo apt install step-ca step-cli
 
step ca init
 
sudo step-ca $(step path)/config/ca.json
 
step ca provisioner add acme --type ACME --x509-default-dur=$((30*24))h
 
sudo useradd --user-group --system --home /etc/step-ca --shell /bin/false step
sudo setcap CAP_NET_BIND_SERVICE=+eip $(which step-ca)
sudo mv $(step path) /etc/step-ca
# put password in /etc/step-ca/password.txt
sudo chmod 400 /etc/step-ca/password.txt
# edit and adapt paths in /etc/step-ca/config/defaults.json
# edit and adapt paths in /etc/step-ca/config/ca.json
sudo chown -R step:step /etc/step-ca
# create the service in /etc/systemd/system/step-ca.service
sudo systemctl daemon-reload
sudo systemctl status step-ca
sudo systemctl enable --now step-ca
sudo journalctl --follow --unit=step-ca