Hello,
I'd really like to use my ClearOS Home server as my master CA for all of my network services and servers. I have 15+ servers and many services that are hosted on these external servers and NOT ClearOS (LDAP, MySQL, Mail, Web, DNS, etc...) I use ClearOS only as a network Gateway, Router, Firewall, and VPN. What I would like to know is how can I go about settings up my external services and servers to use SSL certificates that are signed by my ClearOS server? (ex. Most of my servers use Webmin/Cloudmin and have self-signed SSL certs to access the web admin page, I would like to make certificates that I can sign with my ClearOS server so when I install the ClearOS CA cert in my browser it won't show with the warning and a need to create an exeption) I'd also like to create SSL certificates for my LDAP and MySQL servers that I hope to have signed by the ClearOS CA so all of the servers/services will verify SSL with the ClearOS server. I've tried many things and can't seem to figure this problem out. All I can figure out how to do is to supply the ClearOS server with it's own (paid) signed SSL cert which is not something I need. Can you please help me figure out how to do this for my servers/services? Thank you very much for your time and help. I appreciate it very much.
I'd really like to use my ClearOS Home server as my master CA for all of my network services and servers. I have 15+ servers and many services that are hosted on these external servers and NOT ClearOS (LDAP, MySQL, Mail, Web, DNS, etc...) I use ClearOS only as a network Gateway, Router, Firewall, and VPN. What I would like to know is how can I go about settings up my external services and servers to use SSL certificates that are signed by my ClearOS server? (ex. Most of my servers use Webmin/Cloudmin and have self-signed SSL certs to access the web admin page, I would like to make certificates that I can sign with my ClearOS server so when I install the ClearOS CA cert in my browser it won't show with the warning and a need to create an exeption) I'd also like to create SSL certificates for my LDAP and MySQL servers that I hope to have signed by the ClearOS CA so all of the servers/services will verify SSL with the ClearOS server. I've tried many things and can't seem to figure this problem out. All I can figure out how to do is to supply the ClearOS server with it's own (paid) signed SSL cert which is not something I need. Can you please help me figure out how to do this for my servers/services? Thank you very much for your time and help. I appreciate it very much.
Share this post:
Responses (5)
-
Accepted Answer
Yes, you have the ClearOS CA cert. This shows how to create server certs, using a private CA cert for signing. That is the 'key' part. I have plenty of examples of self-signing certs at:
http://www.htt-consult.com/Centos7-mailserver.html
I need to add running a private CA like the OP is asking. -
Accepted Answer
-
Accepted Answer
postfix.org has an example of creating your own CA cert and then signing your own server certs with it. See:
http://www.postfix.org/TLS_README.html
section:
Private Certification Authority
I need to work some on developing this.
Probably later next week. -
Accepted Answer
You can use openssl from the command line to create new certificates. by default they should use the ClearOS CA. I remember coming across a program on the CentOS site which gave a text-mode gui to do this, presumably as a front end to openssl and I used this for a while. Unfortunately I can't remember what it was. If I can find it, I'll post back -
Accepted Answer
Make sure you have adequate random entropy to strongly create all those certs. Consider installing haveged. In fact install it on all your servers, as randomness is needed for every TLS setup and message.
I really don't think the cert management interface is rich enough. I don't expect to dig into this for a couple weeks so could be wrong on my assessment.
[edit]
Flash of inspiration. I used genkey. The guide indicates you need to install the "crypto-utils" package to get the genkey command.
[/edit]
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »