How to create a valid self signed SSL Certificate?
Vložit
- čas přidán 29. 04. 2024
- In this video, I will explain how to generate valid self-signed SSL certificates for your internal network. We will use an open-source tool, OpenSSL to create an SSL cert for my Proxmox Server, that is valid for my internal domain and my private IP address. #OpenSSL #TLS #HomeLab
My GitHub Cheat-Sheets: github.com/christianlempa/che...
Teleport-*: goteleport.com/thedigitallife
Follow me:
TWITTER: / christianlempa
INSTAGRAM: / christianlempa
DISCORD: / discord
GITHUB: github.com/christianlempa
PATREON: / christianlempa
MY EQUIPMENT: kit.co/christianlempa
Timestamps:
00:00 - Introduction
00:51 - Some TLS basics
04:33 - What are valid SSL Certificates?
07:45 - Why use Self Signed Certificates
11:53 - Advertisement-*
12:27 - Generate a Private CA
16:31 - Generate and Sign an SSL Cert
21:11 - Upload a Full chain Cert
22:22 - Import Private CA in Windows
________________
All links with "*" are affiliate links.
Thank you very much. This was extremely useful. You took a very confusing and convoluted process and made it as easy to understand as possible. I was able to setup certs on several home servers that I've been trying to figure out for years. I really appreciate your time making this video. Very helpful.
Glad it was useful! Thank you ;)
Hi Christian, I have been watching your videos for ages and with your help I have grown my little raspberry pi "home lab" out into 3 separate servers running more services than I have any business or need to run. I enjoyed this video and it was very informative. Thank you for all the help and wish me luck setting up my own CA.
Hands down, absolutely outstanding work. Thank you so much for this video. I absolutely loved it. You earned a sub!
I've been trying this for weeks, and you managed to make me understand and actually learn something about certificates. Indeed, you are an excelent teacher! Thanks a lot
You really know your stuff. So much information in 25 minutes!
Might be the most important video I've watched in 5 years, wow. Thanks SO much for this, very well done!
Glad you enjoyed it!
This was exactly what I needed to understand the cert-creation process. Thank you, and I have now subscribed to your channel :D
Thanks! Glad it was helpful 😉
Thanks a million! I was following some other documented tutorials and none of them seem to explain what is important and what is not. I didn't have a DNS name so I had to rely on IP addresses. After spending 2 days of trying to setup SSL certificates, I finally found and followed your video and it just worked straight away!
Thank you! Glad that it helped ;)
I subscribed last week, mostly because I'm into Docker and you seem to cover it a lot. You've already proven to be quite useful with this tutorial, which I ran into completely by coincidence. Just wanted to say I really appreciate you, thanks!
Thanks man! :)
Thank you so much. I had been annoyed by this for a long time. I appreciated very much your way of explaining things with just the level of details needed (at least in my case). I could follow the steps one after the other and it worked fine. I wrote down the process to repeat this in the future. Thank you so much again, from France.
Thank you! Im glad you enjoy the content :)
Thanks so much for this video. It really helped me a lot. For a long time I was having problems with other tutorials tying to configure this, and with your video I managed to get everything working really fast. Thanks again!
just started to dip my toes into self signing so this is wonderful timing that you to made a fresh video about it.
🤗
Thank you! Glad it's helpful 😀
Nice overview about CA's and how Windows trust certificates from websites. And well detailed explanation about the steps to generate a valid certificate. It really comes in handy to me right know, because I was dealing with some troubles to generate a certificate to a local system in my job. Thank you very much! Keep it up! 👏👏👏
Thank you! Glad it helped :)
After a very long time struggling with it I finally got it working thanks to you! Thank you!
Thanks for doing this. I watched it several times (and reviewed your very helpful 'Cheat-sheets' on git). I understand the process for setting up internal CA (with respective keys), as well as the signing request process. BUT, I'm still not sure how to go about creating certificates that have *wild-cards* for an IP range so that I can use more broadly in my home lab environment. I'll keep plugging away with some other how-to tutorials, and eventually I'll have the 'Eureka' moment and it'll all make sense. Nonetheless, your tutorial was very good and much appreciated. Cheers.
Thank you for your time and knowledge, an invaluable help, especially because you turned something complex into a simple one, thank you, it has helped me a lot
Thanks!
Great video! You've corrected the topic in great detail. This will be my reference video on this topic. Keep producing video on these interesting topics. You've got a new subscriber
Excellent will use it today ! Thanks for documenting all process !
Thanks Bro. This explanitation gave me the needed steps to finally learn the SSL certificate concept and creation. All of my internally hosted consols are now secure. It was even possible for me to adjust my certificate chain for a cisco wlc which I wanted to start using. Without your instructions, I couldn't have made this jump. Vielen Dank!
Thanks for making this video, great explanation of how it all works, reassuring to see all the reading of separate info I've been doing was in a simple video.
Thank you so much! ::)
love the videos pal - literally just finished watching several of your nginx proxy manager videos!
Thank you so much :)
Very good explanations. The part I was looking for was how to import the ca certificate into the client devices.
best explanation ever, thank you so much. for the first time, i actually understand ssl certs
thank you, just a note , the file extfile.cnf has to be encoded in utf-8 , you can convert it via visual studio code , otherwise an error will show up
"x509: Error on line 1 of config file "extfile.cnf" 8C520000:error:07000065:configuration file routines:def_load_bio:missing equal sign:crypto\conf\conf_def.c:513:HERE--> ■sline 1"
THANKS! You can also use Notepad++ at the "Encoding" tab and save.
But powershell script would be the simplest i think :/
Hello Matifuska, I am running into the same issue. Can you explain me how I encode it into utf-8? I used the Terminal of VS code, but how do I convert it into utf-8?
Okay I found it, on the bottom right of the window is it. In my case it was in UTF-16 LE, the change to UTF-8 solved it. Thank very much!
Thank you. I was tearing my hair out looking for that error in search engine but it didn't help at all. Also, I did all this on Windows and give this error, but i tried again in debian/linux and it works out okay.
It is absolutely nuts how many subs you have now. Congrats man! I have been studying to get some certs lately so I'll see how it goes!
Thank you so much :D I still know when we're following each other since the very beginning of this channel ;)
hey Christian!
You just got a new subscriber man!
Explained it beautifully!
Welcome aboard! :D
Very great video! This was exactly what I've been looking for days and days. Very helpful. Thx! Keep it up
Thanks, will do!
Thank you so much, very informative and has finally enabled me to get rid of the annoying warning message when logging into my nas. Great job!
Awesome! Thanks
Very helpful, helped filled in some knowledge gaps in private CA's.
Thx! Glad it was helpful ;)
Thanks bro
@@christianlempa
Thank you, this is just what I was looking for! Very helpful, great video!
You're welcome 😀
This was exactly what I was looking for.
Helped a Ton!
Thanks
Thanks! Glad that it helped you :)
thank you so much! finally found a working solution at first attempt
I had so many issues before trying to get SSL working on my VMware ESXI Server. Now I just used all the steps in this video and replaced the .csr file with the "Generate FQDN signing request" text (copied and put in a text file) that you can generate in ESXI. It instantly worked.
Before this Video I "broke" my server so I couldn't access it from the webinterface anymore (had to plug in Monitor & Keyboard to find out that the SSL Certificate was invalid so the webserver didn't start).
Thanks for making it this easy to follow👍
Thanks, glad it was helpful 😀
Your video came just in time to save my day.
Didn't know i could be a CA as well create a SSL certificate.
Amazing
Thanks! Glad you liked it :)
That's exaclty what I did when decide to move all my home network to SSL couple of weeks ago, glad to see we are on the same wave :)
Oh cool, that's funny :D
Really great, it's been a while since I was looking for this, i've implemented the same concept in Pfsense and made a web server to distribute the CA certificate to others devices
Thanks :)
Hi Christian, thank you for that video, it is exactly what I was looking for, followed your steps and it works perfectly. You got one more subscriber.
Thank you so much :)
Thank you so much. You just earned a subscriber here. Great content.
Always great content!
Re-watch it?? Not only, study it!!
Absolutely interesting and useful.
Thank you and keep on with this excellent content
Thanks for the kind words
Great video Christian! Thank you very much for sharing it with us!💖👍😎JP
Thanks a ton! I have fond memories of adding SSL certificates to web 1.0 programs lol like deadAIM n such. Been really wanting to know more about its potential applications now adays. Appreciate the info. ~
Thanks for the great explanation!
Finally a video that explains this process thoroughly, thank you
I autommatically press like when i see your videos. Awesome guy!!!!🙂🙂🙂🙂
You have touched on a lot of topics in an excellent narrative and really detailed. I really thank you for this. But there is something I want to ask. Does everyone in the "standard user" class who connects to our web page have to add to the trusted certificates you made in the last step here? That is, after we prepare the certificate, can it securely exit to the internet?
Another issue is that we want to sign our software that we prepare in our company with code signing. Can rootCA be used for this? Can we sign our software using the certificate created with this method?
Thank you very much.
Loved the video! And yes, please do a deep dive video as well 😇
Thanks! :) Great idea, I like to do more videos about network protocols and security
Thx for the fullchain tip. I had read about it in the Proxmox docs, but just the standalone cert worked for me :)
Np bro! ;)
Thanks for the helpful video as always! 👍👍
You're welcome :)
Thank you for demystifying the concept! It helped a lot!
Excellent presentation and content! Bravo and thank you!!
Thanks!
Excellent video. Very informative. Good job.
Thanks for this video, your documentation is amazing, it makes it very easy to follow your instructions and I now understand what's happening...
Thanks 🙏
You are awesome man! Very clean explanation
Glad it helped!
This excellent and great video … yes! finally what I needed 👍🏼
You're welcome!
Your video is fantastic!! Compliment
Wow ... amazing !!! ... your step by step is exactly what I need ... and it's working A1 ... thank's for your generosity :)
Thank you so much 🙏🙏
I was searching to really solve this trusting issue puzzle for years by relying on Windows CA role and has been impossible. Endless gratitude to you !!!
thx ;)
Thank you for splitting the video into segments, I already knew the basics and could just skip ahead to relevant parts.
You're welcome :)
Thanks for your helpful videos!
You're welcome! :)
I love you man, you saved me days
Thank you, very helped for me
Excellent and detailed guide to resolve an issue as complicated as SSL.
What would be different in the certificates if TLS 1.3 is used?
Thank you VERY much for making this video
You’re welcome ☺️
Thank you very much you SIR!!! you are my go-to youtube channel for my IT carreer!
Quick question: what terminal software you used in this video? the UI looks so clean. Thank you
Windows PowerShell
Christian, Great job here. Thanks so much. One question:
For the SAN name, I'd like to be able to enter a node's, hostname, FQDN and IP, which I would consider to be a common use-case for those not wanting to use wildcards. I've played around with the contents of the extfile.cnf to no avail. Any pointers ?
It works! Thanks! 😄
thanks for the video. I didn't understand the last part, is the command executed on the machine from where I open the page or on the server?
Thank You so much!
Thank you very much. You helped me a lot.
You're welcome :)
Awesome work.
Thank you! Cheers!
This is really helpful. Thank you.
you're welcome :)
thank you so much bro I was going around in circles until I got to this video
Glad it was useful! :D
In addition to this, if you are running Linux a self signed cert also helps you with signing your bootloader and enable secure boot properly ;) ..fun video always enjoy your passion with them!
thanks mate ;)
Thank you very much! You saved my day!
You’re welcome ☺️
Subscribed. I'm trying to keep my subscriptions list tidy, so take it as a massive compliment!
Thank you 😊
very useful video, thank you very much
Thank you very much! I tried to do this and failed a couple of weeks ago. Gonna give it another try.
You're welcome! Hope it will work now :)
Thanks for taking the time to put together this video tutorial. I understand how to follow through the steps as you're doing them, but unfortunately I don't understand WHY I'm doing it at each step and what each step is doing for me, because there were too many words being spoken and it was confusing. One of the things I was not initially clear on, but now understand why is that I needed to add a linux distro in my lab environment to run openSSL. That's one more thing for me to have to manage! Also, where does it put the files it made? I can't find them. Forgive my rookie questions, first time I'm ever doing this. Very new to linux and to openSSL. Total NOOB here with certificates.
Thank you for the video, it's awesome! May I ask you how did you set a custom color for the command parameters on the terminal?
To be clear, in the initial command: "openssl" had one color, "generate" another, "-aes256 -out" were slightly obscured and so on...
Maybe that's because I'm using PowerShell, that uses different colors for arguments, commands, etc.
@@christianlempa I thought you used the zsh-syntax-highlighting plugin.
Hi Christian, endlich mal eine verständliche und funktionierende Anleitung, wie man selber Zertifikate für sein Homelab erstellen und einsetzen kann. Sehr gut, danke dir! Ich möchte an dieser Stelle auch noch einmal erwähnen, dass ich neben deinen Videoinhalten auch in besonderem Maße die Qualität deiner Videos (Sound, Bild, Schnitt, Lautstärke, Farben, Abstimmung, Präsentation, Darstellung, Stimmung etc.) zu schätzen weiß. Nach meinem Empfinden bildest du damit einen Standard, an den derzeit kaum jemand heran kommt. Weiter so. Uppps, jetzt habe ich doch instinktiv in deutsch geschrieben 🙂
Vielen Dank! Freut mich, dass dir die Videos so gut gefallen, da du einer meiner langjährigen Zuschauer bist :D
@@christianlempa what ad blocker are you using? the new/blank web page shows 228,000 ads blocked and bandwidth saved. Thanks! and thanks for this video!!
Very good video, for my local environment I use cerbot with cloudflare api to authorize the certificate creation locally without any ports open and then either pass everything through a local proxy or by installing the cerbot client and setting up the subdomain for the service if it's an important one like freeipa/teleport/other important service that I don't want to use a local proxy.
Thank you! :)
wow great, as I work for a small enterprise, I was looking something similar to it.
Awesome video, are you using your private CA with Teleport? Does Teleport use it to sign the certificates it generates?
Danke für das Video, das hat unser Problem gelöst
Gerne! Freut mich dass es euch geholfen hat ;)
this is by far the best video on this topic, thank you. I just have one question, I don't have a physical server I'm just testing in a VirtualBox and I was wondering if u could suggest to me any good VMs that I can install on VirtualBox and also install the certificates, that would really help me out
Thanks a lot. What type of terminal are you using?
Come in handy! Thank you!
Thanks!
video was so good i had to smash like & subscribe
Thanks 😊
Thanks, good introduction video!
For a more in-depth understanding and for best practices regarding certificates I highly recommend reading the book "TLS Mastery" by Michael W Lucas. Small and handy book with around 200 pages.
Thanks! I might have a look at that, great suggestions :)
Very clear explanation video! I have subscribed. Just doesn't find the install guide for Macbook in the cheatsheet.
Thanks! Welcome to the club :D
Excellent!
Thx :)
Finally the answer to the most headache of running a home lab!
Thank you :)
thanks a lot for the amazing video
You're welcome :)
Excellent video very educational and definitely most needed at my homelab.
Nevertheless how do I use the new self-signed cert in others webapps that doesn't have a webgui to register certs like: Portainer, PiHole, Rancher, Kasm, SonarQube, Jellyfin, Guacamole, Semaphore, Cockpit, etc (a follow up video will be great)
Many thanks in advance!!!!
Thank you so much! :) Usually, these apps have sections in their UI, or configuration file that allows you to put the "private key" and the "fullchain" cert somewhere (Portainer f.e. has it in the Settings Menu) . I'm using it in Traefik, Sophos XG, Proxmox, Portainer, etc.
@@christianlempa I am using Sophos XG and I need guidance in setting up certificates
Great video this. Thank you
Thanks! You're welcome :)
Great content!
Thx
Ok but this is freaky. I was looking for a decent tutorial the whole of today and knew you mentioned it before but couldn't find it lol. At least I know where to look now
Haha nice :D
Thank you for this explanation , if you have documentation about steps it will be helpful to put this here
You're welcome :)
well done ... please bring more stuff on this...
thanks! I will ;)
this channel is gold
Thanks :D