Wow, it's a long time without seeing an enjoyable, deep and detailed pki video presented by somebody who really knows what he is talking about and making himself crystal clear by explaining every if and why' s!
48:30 If you working with a debian system, you need to do the following to make this work: as "root" copy your "ca.crt" into the directory "/usr/local/share/ca-certificates/" cp ~/ca/root-ca/certs/ca.crt /usr/local/share/ca-certificates/ next you need to update the ca-certificates dpkg-reconfigure ca-certificates you can choose either "yes" or "ask" and after the script finishes you see: Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d.... Adding debian:ca.crt done. done.
This is an outstanding video. For anyone viewing in 2022, note that browsers now require the subjectAltName extra, so cert signing requests formed without this will not be accepted. This shows as the somewhat unhelpful error "NET::ERR_CERT_COMMON_NAME_INVALID".
It has generated the CSR in sub-root but whenever i put command to sign the csr file, I receive the following errot " wrong number of fields on line 1 (looking for field 6, got 1, '' left) " may be any syntax error or what ?
One detail thats missing I can’t seem to make work - subject alternative names. I can get SANs for the server on the CSR, but after the Sub-CA signs it, they’re gone. What am I missing in sub-ca.conf? I’d like to specify multiple fqdn’s and IP addresses as SANs This is great. Thank you.
Well I watched about half of the video and I was so lost that I just stopped... :-) It was not you, it was me. I have no idea what I would use this for so I did not see the point of finishing... What I did watch was very well done. I am sure that someone needing this information will be happy as a lark! Lol Thanks you for the video! LLAP
This is how you set things up securely for your local/remote self hosted web_server .. Openssl can also be used to encrypt files , thats worth learning for anyone, check out the 'enc' function : ) .. Likely this will lead you to gpg and its encryption function + key management. Or maybe its just me that gets sucked down these various linux terminal rabbit holes lol . -education is never wasted
@@DDBAA24 Well I don't use servers or Web servers so yep it's not for me. I don't have a use for SSH other than updating my other computers in a terminal on my local 4 computer setup... :-) It wasn't my intention to say that "education is wasted" it is not! I just don't have a use case for this. Like I said, I'm sure some will find useful... :-) LLAP
hi there, qq why did you switch to the root user?can't this tutorial be done as an unprivileged user?if yes then why not show the viewers how to do it as non root and it's also good practice
Some great little nuggets in this tutorial. I feel like I'm learning a lot more than some of the other courses I've looked at. Still overwhelmed by it. We'll get there
I mostly use OpenSSL to merge end user certs + intermediate certs + key files to create PFX for IIS server upload but this was interesting content as well
Thank you for this excellent explanation on buiding CA/Inter/Server certs with OpenSSL, can you provide an update that includes the use of Subject Alternate Names?
Very good tutorial apart from two things: a) Use of CN for the server hostname was deprecated like literally 20 years before this tutorial was created. And Firefox and Chrome stopped allowing it mere months after the tutorial appeared. b) The author should warn people that "openssl ca" is not a command you want to use in a production environment because it's quite buggy and it's very easy to corrupt your index database or similar. Openssl's own documentation admits as much.
Just had a class where we discussed PKI. Everyone (classmates and prof.) kept saying how complicated and expensive they were to implement. I knew OpenSSL existed and was wondering why a company wouldn't just do it in-house; doesn't seem that complicated (or expensive) to me... If you want a certificate for public SSL connection, sure, pay for one from one of the big vendors. Also, can you just create different CAs for user permission levels? For instance, an intermediate CA to certify database admin keys, and another CA for database users.
If I'm being honest, I'm probably not going to understand it properly until I actually use it in my live env, and my env is just a simple server I want to make on my Raspberry Pi 4. But I know how important security is and will learn it. Thank you for this guide!
Thank you very much for this such a great video. The comments too are very much helpful. I have one query in this. With the server all set with private key and certificate how does the server sends the public key to the clients and how does that show up in the communication.
Dear Andrew, you are not using alt_names and you're using one domain name as a Common Name. What if I want to use hostname, localhost, IP address ... in addition to the domain name?
Just taking notes here, how can I create the intermediate CA when I have the RootCA on a different machine? The command given in this video wouldn't work. @32:30 Is it as simple as entering that command on the rootca machine then moving the sub-ca.csr and sub-ca.crt to the subca machine??
The intermediateCA send a request to the CA. In the same way the server sends a signing request to the Intermediate CA/ The files are transferred to and from the signing authorities
@@theurbanpenguin What I'm saying is that he is locally referencing directories from the same machine in that command. But in a real situation we would have the rootCA on a different machine thus making that command not work
Thank you for this. I'm a junior sysadmin and the company I work for recently created a new CA to sign certs for a large number of iOS devices. I didn't undertake the work, but was curious as to how they implemented it. This video has given me much greater insight into how they achieved the task. Whats also interesting is the different certificate requirements iOS has between iOS 12/13 and now 14.
