Automate Local TLS Certificates With Step-CA
Vložit
- čas přidán 12. 06. 2024
- As useful as OpenSSL has been for letting me manage TLS certificates for internal IT devices, after a while this becomes time consuming and tedious
For one thing, there's a few a steps to go through to create a certificate and just before a certificate expires you have to go through more steps to revoke the certificate and then create a new one
Now while Let's Encrypt allows you to automate certificate provisioning, you'd need a public domain name and be willing to leak details about your internal devices to the Public Internet. In other words, it's a bad idea
So wouldn't it be good if you could have the security benefit of OpenSSL and the automation benefit of Let's Encrypt
Well you can with an open source certificate authority called step-ca
Not only can you install this on an internal computer, it supports ACME provisioning
And in this video we'll go over how to install and configure step-ca as well as demonstrate how to configure Proxmox VE to use it
=============================
SUPPORT THE CHANNEL
Donate through Paypal:
paypal.me/DavidMcKone
Donate through Buy Me A Coffee:
buymeacoffee.com/dmckone
Become a monthly contributor on Patreon:
/ dmckone
Become a monthly contributor on CZcams:
/ techtutorialsdavidmckone
==============================
=============================
MY RECORDING HARDWARE:
Blue Yeti USB Microphone
amzn.to/3IfL3qm
Blue Radius III Custom Shockmount for Yeti and Yeti Pro USB Microphones
amzn.to/3G3f89P
RØDE PSA1 Professional Studio Arm
amzn.to/3Z3lPBF
Aokeo Professional Microphone Pop Filter
amzn.to/3VuZl9H
Sony Alpha ZV-E10L Mirrorless Camera
amzn.to/3ITHCoU
Elgato Cam Link 4K Capture Card
amzn.to/43CzQaT
Neewer NP-FW50 Dummy Battery Charger Kit
amzn.to/3qp9Q4s
Elgato Key Light Air - Professional 1400 lumens Desk Light
amzn.to/3G81OB9
Neewer 2 Packs Tabletop LED Video Light Kit
amzn.to/3CcuN5O
Elgato Green Screen
amzn.to/3CoJBOL
=============================
==============================
MEDIA LINKS:
Website - www.techtutorials.tv/
Twitter - / dsmckone1
==============================
For more technical information, including commands used, check out our blog post
www.techtutorials.tv/sections...
Useful links:
smallstep.com/docs/step-ca/
smallstep.com/docs/step-cli/
hub.docker.com/r/smallstep/st...
smallstep.com/blog/private-ac...
www.cyberciti.biz/faq/linux-p...
Chapters
00:00 Intro
01:05 Assumptions
01:21 Initial Setup
08:52 Password File
11:34 Bootstrapping and Testing
14:37 ACME Server Provisoner
16:23 Proxmox VE ACME Client Configuration
26:25 Compose Service Account
35:32 Summary
ssl certificate,tls certificate,certificate authority,ca server,certificate authority server,how to create certificate server,proxmox web certificate,step-ca,automate tls certificate,automate web certificate,automate certificate provisioning,automated certificate provisioning - Věda a technologie
I’m amazed, your content is great, good explaining and a great purpouse
Thanks for the feedback
The videos I'm doing tend to cover what I'm doing myself to improve IT
I learned a lot from your previous videos about creating and using one's own private ca based on openSSL. Very recently I decided to change to step-ca as soon as I can allocate the time to make the change. Imagine how lucky I feel to see you now also have a brand new tutorial on step-ca!!
Step-ca has been on my radar for a while and I eventually got round to it
So it was good to be able to finally put it to use
For more usability for users that watch youtube videos on there smartphones, could you please consider 3 things: enlarge the terminal, press enter 2 or 3 times in order not to start at the top and after you paste text presh arrow right in order to demarc the text so it is better readable? That would be fantastic 🙂
Good suggestions
I did enlarge the font some time back based on comments, and my video editor seems to blur things when I get it to zoom but I'll revisit that option as well
In the mean time, there is a blog which has all the commands in it
www.techtutorials.tv/sections/it-security/automated-tls-certificates-step-ca/
Just need to figure out how to get markup language to give me a copy button
Thank you for your instructional videos. I find them to be very useful. and appreciate that you don't gloss over the details and more often than not, provide additional insight. For this implementation when using ACME, how do you include the IP address in the SAN when PVE generates the CSR, in addition to the FQDN, so connecting via IP provides a secure connection? With your recent Ansible videos, it would be interesting to see how much of this process could be automated for existing hosts and new hosts as they are provisioned.
I haven't tested this with a SAN or IP addressing but according to the documentation, step-ca support this
smallstep.com/docs/step-cli/reference/ca/token/
For PVE for instance, you can include multiple entries in the domain field
You just have to separate them with a semi-colon e.g.
prox1.servers.com;192.168.12.12
Ansible's very flexible as you can just execute commands if there isn't a module to support this
So for PVE you have the pve config command available
pve.proxmox.com/pve-docs/pvenode.1.html
Very interesting! Thanks for this video.
Yes, it's very useful
You can run it as a normal application, but I'm liking the container option
Retail switches for instance that don't support SSH will still need manual work
But I noticed Cerbot supports a lot of systems so that could be used to automate other devices
+1
Nice coverage but too much of a hassle for using CLI
Docker has a desktop option
www.docker.com/products/docker-desktop/
And so does Podman
podman-desktop.io/
Portainer is an interesting alternative mind
www.portainer.io/
But for now at least it's only supporting Docker
The bootstrapping stuff I was doing was more for basic testing and updating the certificate store. It's not necessary for web browsers
Not much CLI work to do for Proxmox VE, but hopefully they'll add that into the GUI at some point