[{"data":1,"prerenderedAt":669},["ShallowReactive",2],{"Categories":3,"NavIndexCategoriesCountFooter":203,"content-\u002F2019\u002F09\u002F18\u002Finternal-certificate-authority-with-openssl-and-caman\u002F":204},[4,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,68,70,71,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202],{"category":5},"System Administration",{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":27},"Software Development",{"category":5},{"category":5},{"category":5},{"category":5},{"category":27},{"category":27},{"category":5},{"category":5},{"category":5},{"category":27},{"category":5},{"category":5},{"category":5},{"category":27},{"category":27},{"category":27},{"category":27},{"category":5},{"category":5},{"category":5},{"category":27},{"category":27},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":27},{"category":5},{"category":5},{"category":27},{"category":27},{"category":27},{"category":27},{"category":5},{"category":27},{"category":27},{"category":67},"Drones & RC",{"category":69},"DIY Projects",{"category":67},{"category":72},"Photography",{"category":69},{"category":69},{"category":69},{"category":67},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":67},{"category":69},{"category":69},{"category":67},{"category":67},{"category":72},{"category":72},{"category":72},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":5},{"category":5},{"category":72},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":5},{"category":67},{"category":67},{"category":72},{"category":72},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":72},{"category":67},{"category":138},"3D Printing - Laser Cutting - CNC",{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":5},{"category":138},{"category":27},{"category":27},{"category":138},{"category":138},{"category":72},{"category":158},"Photography,3D Printing - Laser Cutting - CNC",{"category":27},{"category":27},{"category":69},{"category":27},{"category":27},{"category":27},{"category":27},{"category":5},{"category":67},{"category":5},{"category":5},{"category":27},{"category":27},{"category":27},{"category":27},{"category":27},{"category":69},{"category":27},{"category":27},{"category":27},{"category":27},{"category":181},"Home Assistant",{"category":181},{"category":72},{"category":27},{"category":27},{"category":72},{"category":138},{"category":5},{"category":72},{"category":72},{"category":138},{"category":27},{"category":181},{"category":181},{"category":72},{"category":72},{"category":72},{"category":72},{"category":72},{"category":72},{"category":72},{"category":72},191,{"id":205,"title":206,"body":207,"category":655,"date":656,"description":657,"embedImage":655,"extension":658,"image":655,"intro":659,"meta":660,"navigation":289,"path":661,"seo":662,"series":655,"sitemap":663,"stem":664,"tags":665,"__hash__":668},"content\u002F2019\u002F09\u002F18\u002Finternal-certificate-authority-with-openssl-and-caman.md","Internal certificate authority with openssl and caman",{"type":208,"value":209,"toc":653},"minimark",[210,225,228,231,240,248,251,636,639,649],[211,212,213,214,224],"p",{},"It seems a little odd to be looking at running an internal certificate authority (CA) in these days where free certificates are easily available from ",[215,216,223],"a",{"href":217,"rel":218,"target":222},"https:\u002F\u002Fletsencrypt.org\u002F",[219,220,221],"nofollow","noopener","noreferer","_blank","LetsEncrypt",". However, I have a fully working LetsEncrypt setup using the http callback verification method that I don't really want to fiddle with, so for some small internal machines (pi's etc) I wanted to look again at being my own CA.",[211,226,227],{},"Last time I looked at this (11 years ago) I used openssl's CA.sh\u002FCA.pl scripts. Basically these manipulate the openssl configuration files so that the standard openssl commands create what you need.",[211,229,230],{},"You can do this by hand too - and just run openssl commands. But - I wanted something that added a little more control.",[211,232,233,234,239],{},"One script that does this for you is ",[215,235,238],{"href":236,"rel":237,"target":222},"https:\u002F\u002Fgithub.com\u002Fradiac\u002Fcaman",[219,220,221],"caman"," - which seems to have a fairly simple interface.",[211,241,242,243,247],{},"The readme is pretty self-explanatory. Simply clone the repository and use it. I decided on one change. The script uses two directories - ca and store. These are in the .gitignore file (with a pair of files in ca excluded). I decided to remove the gitignore settings - and keep the generated files in the repo - but - to keep them secure with ",[215,244,246],{"href":245},"\u002F2019\u002F02\u002F23\u002Fusing-git-crypt\u002F","git-crypt",". I also decided that as this was just for me and for a few machines that the extra complexity of an intermediate was not necessary - if I have to re-create the CA then there are perhaps 10 machines it needs installing on.",[211,249,250],{},"Apart from that - the readme's instructions worked fine - the script I more or less ended up with looks like this (so far I have added three hosts):",[252,253,258],"pre",{"className":254,"code":255,"language":256,"meta":257,"style":257},"language-shell shiki shiki-themes github-dark","git clone -o upstream git@github.com:radiac\u002Fcaman.git\n\ncd caman\n\ngit remote add origin \u003Clocation>\n\nrm .gitignore\n\ntouch .gitattributes\n\n\u002F\u002F Add .gitattributes for git-crypt here - setting ca\u002F** and store\u002F** to be encrypted\n\ncp ca\u002Fcaconfig.cnf.default ca\u002Fcaconfig.cnf && vi ca\u002Fcaconfig.cnf\n\u002F\u002F Change the CA settings as described in the readme\n\ncp ca\u002Fhost.cnf.default ca\u002Fhost.cnf && vi ca\u002Fhost.cnf\n\u002F\u002F Change the per host settings as described in the readme\n\n.\u002Fcaman init\n\nfor HOST in host1 host2 host3; do\n  .\u002Fcaman new $HOST.home.chrissearle.org\n  .\u002Fcaman sign $HOST.home.chrissearle.org\ndone\n\ngit add .\n\ngit ci -m \"Done :)\"\n","shell","",[259,260,261,284,291,300,305,333,338,347,352,361,366,416,421,442,473,478,496,523,528,537,542,569,584,596,602,607,617,622],"code",{"__ignoreMap":257},[262,263,266,270,274,278,281],"span",{"class":264,"line":265},"line",1,[262,267,269],{"class":268},"svObZ","git",[262,271,273],{"class":272},"sU2Wk"," clone",[262,275,277],{"class":276},"sDLfK"," -o",[262,279,280],{"class":272}," upstream",[262,282,283],{"class":272}," git@github.com:radiac\u002Fcaman.git\n",[262,285,287],{"class":264,"line":286},2,[262,288,290],{"emptyLinePlaceholder":289},true,"\n",[262,292,294,297],{"class":264,"line":293},3,[262,295,296],{"class":276},"cd",[262,298,299],{"class":272}," caman\n",[262,301,303],{"class":264,"line":302},4,[262,304,290],{"emptyLinePlaceholder":289},[262,306,308,310,313,316,319,323,326,330],{"class":264,"line":307},5,[262,309,269],{"class":268},[262,311,312],{"class":272}," remote",[262,314,315],{"class":272}," add",[262,317,318],{"class":272}," origin",[262,320,322],{"class":321},"snl16"," \u003C",[262,324,325],{"class":272},"locatio",[262,327,329],{"class":328},"s95oV","n",[262,331,332],{"class":321},">\n",[262,334,336],{"class":264,"line":335},6,[262,337,290],{"emptyLinePlaceholder":289},[262,339,341,344],{"class":264,"line":340},7,[262,342,343],{"class":268},"rm",[262,345,346],{"class":272}," .gitignore\n",[262,348,350],{"class":264,"line":349},8,[262,351,290],{"emptyLinePlaceholder":289},[262,353,355,358],{"class":264,"line":354},9,[262,356,357],{"class":268},"touch",[262,359,360],{"class":272}," .gitattributes\n",[262,362,364],{"class":264,"line":363},10,[262,365,290],{"emptyLinePlaceholder":289},[262,367,369,372,375,378,381,384,387,390,393,396,399,402,405,407,410,413],{"class":264,"line":368},11,[262,370,371],{"class":268},"\u002F\u002F",[262,373,374],{"class":272}," Add",[262,376,377],{"class":272}," .gitattributes",[262,379,380],{"class":272}," for",[262,382,383],{"class":272}," git-crypt",[262,385,386],{"class":272}," here",[262,388,389],{"class":272}," -",[262,391,392],{"class":272}," setting",[262,394,395],{"class":272}," ca\u002F",[262,397,398],{"class":276},"**",[262,400,401],{"class":272}," and",[262,403,404],{"class":272}," store\u002F",[262,406,398],{"class":276},[262,408,409],{"class":272}," to",[262,411,412],{"class":272}," be",[262,414,415],{"class":272}," encrypted\n",[262,417,419],{"class":264,"line":418},12,[262,420,290],{"emptyLinePlaceholder":289},[262,422,424,427,430,433,436,439],{"class":264,"line":423},13,[262,425,426],{"class":268},"cp",[262,428,429],{"class":272}," ca\u002Fcaconfig.cnf.default",[262,431,432],{"class":272}," ca\u002Fcaconfig.cnf",[262,434,435],{"class":328}," && ",[262,437,438],{"class":268},"vi",[262,440,441],{"class":272}," ca\u002Fcaconfig.cnf\n",[262,443,445,447,450,453,456,459,462,465,468,470],{"class":264,"line":444},14,[262,446,371],{"class":268},[262,448,449],{"class":272}," Change",[262,451,452],{"class":272}," the",[262,454,455],{"class":272}," CA",[262,457,458],{"class":272}," settings",[262,460,461],{"class":272}," as",[262,463,464],{"class":272}," described",[262,466,467],{"class":272}," in",[262,469,452],{"class":272},[262,471,472],{"class":272}," readme\n",[262,474,476],{"class":264,"line":475},15,[262,477,290],{"emptyLinePlaceholder":289},[262,479,481,483,486,489,491,493],{"class":264,"line":480},16,[262,482,426],{"class":268},[262,484,485],{"class":272}," ca\u002Fhost.cnf.default",[262,487,488],{"class":272}," ca\u002Fhost.cnf",[262,490,435],{"class":328},[262,492,438],{"class":268},[262,494,495],{"class":272}," ca\u002Fhost.cnf\n",[262,497,499,501,503,505,508,511,513,515,517,519,521],{"class":264,"line":498},17,[262,500,371],{"class":268},[262,502,449],{"class":272},[262,504,452],{"class":272},[262,506,507],{"class":272}," per",[262,509,510],{"class":272}," host",[262,512,458],{"class":272},[262,514,461],{"class":272},[262,516,464],{"class":272},[262,518,467],{"class":272},[262,520,452],{"class":272},[262,522,472],{"class":272},[262,524,526],{"class":264,"line":525},18,[262,527,290],{"emptyLinePlaceholder":289},[262,529,531,534],{"class":264,"line":530},19,[262,532,533],{"class":268},".\u002Fcaman",[262,535,536],{"class":272}," init\n",[262,538,540],{"class":264,"line":539},20,[262,541,290],{"emptyLinePlaceholder":289},[262,543,545,548,551,554,557,560,563,566],{"class":264,"line":544},21,[262,546,547],{"class":321},"for",[262,549,550],{"class":328}," HOST ",[262,552,553],{"class":321},"in",[262,555,556],{"class":272}," host1",[262,558,559],{"class":272}," host2",[262,561,562],{"class":272}," host3",[262,564,565],{"class":328},"; ",[262,567,568],{"class":321},"do\n",[262,570,572,575,578,581],{"class":264,"line":571},22,[262,573,574],{"class":268},"  .\u002Fcaman",[262,576,577],{"class":272}," new",[262,579,580],{"class":328}," $HOST",[262,582,583],{"class":272},".home.chrissearle.org\n",[262,585,587,589,592,594],{"class":264,"line":586},23,[262,588,574],{"class":268},[262,590,591],{"class":272}," sign",[262,593,580],{"class":328},[262,595,583],{"class":272},[262,597,599],{"class":264,"line":598},24,[262,600,601],{"class":321},"done\n",[262,603,605],{"class":264,"line":604},25,[262,606,290],{"emptyLinePlaceholder":289},[262,608,610,612,614],{"class":264,"line":609},26,[262,611,269],{"class":268},[262,613,315],{"class":272},[262,615,616],{"class":272}," .\n",[262,618,620],{"class":264,"line":619},27,[262,621,290],{"emptyLinePlaceholder":289},[262,623,625,627,630,633],{"class":264,"line":624},28,[262,626,269],{"class":268},[262,628,629],{"class":272}," ci",[262,631,632],{"class":276}," -m",[262,634,635],{"class":272}," \"Done :)\"\n",[211,637,638],{},"The final steps here:",[640,641,642,646],"ul",{},[643,644,645],"li",{},"Install the host certificates on the machines they are for",[643,647,648],{},"Install the ca (ca\u002Fca.crt.pem) on each client that needs it",[650,651,652],"style",{},"html pre.shiki code .svObZ, html code.shiki .svObZ{--shiki-default:#B392F0}html pre.shiki code .sU2Wk, html code.shiki .sU2Wk{--shiki-default:#9ECBFF}html pre.shiki code .sDLfK, html code.shiki .sDLfK{--shiki-default:#79B8FF}html pre.shiki code .snl16, html code.shiki .snl16{--shiki-default:#F97583}html pre.shiki code .s95oV, html code.shiki .s95oV{--shiki-default:#E1E4E8}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":257,"searchDepth":286,"depth":286,"links":654},[],null,"2019-09-18 09:40 +0200","It seems a little odd to be looking at running an internal certificate authority (CA) in these days where free certificates are easily available from LetsEncrypt. However, I have a fully working LetsEncrypt setup using the http callback verification method that I don't really want to fiddle with, so for some small internal machines (pi's etc) I wanted to look again at being my own CA.","md","Running a local\u002Finternal certificate authority - even though it is 2019",{},"\u002F2019\u002F09\u002F18\u002Finternal-certificate-authority-with-openssl-and-caman",{"title":206,"description":657},{"loc":661},"2019\u002F09\u002F18\u002Finternal-certificate-authority-with-openssl-and-caman",[666,667],"openssl","ssl","WpJLc6ErCpMpWRLme-P2llVkQ5H18mCF02n1WAtiICc",1775293008872]