Use own SSL cert

jabajames

By jabajames
in General Support

Recommended Posts

Joe Avelar Noob

Joe Avelar

Posted
Posted (edited)

Hi, this was my solution to setting a valid SSL (self-signed in my case, but should be the same for any other cert).  Hopefully this helps out anyone looking for assistance. 

 

image.png.92799743e6c55218873226df7c93d910.png

 

I've set myself as the CA and am using a wildcard for all my internal web services. None of these are available outside of my private network, so not on the internet. 

 

  1. First, I connected to the flash drive \\hostname\flash
  2. I then drilled into the following sub-folders - config\ssl\certs
  3. I created a backup of my host's PEM file "vidplayer_unraid_bundle.pem" 
  4. I cleared the data from the host's PEM file "vidplayer_unraid_bundle.pem" and inserted my own data as follows
    • Pasted the contents of the Server.CRT file - the one that will show the host information
    • Pasted the contents of the CA.CRT file
    • Pasted the contents of the Server.Key file 
  5. Save and restart for the new cert to take affect. 

Make sure Unraid has the local TDL set to your domain name (menu option "Settings > Manage Access". Mine is set to "acsname.com". 

 

I like this site for decoding and reviewing the CSR/PEM data - https://report-uri.com/home/pem_decoder

 

Below are the commands I use to create the CA and Server SSL data. Credit goes to Oren Oichman (https://two-oes.medium.com/working-with-openssl-and-dns-alternative-names-367f06a23841) for his tutorial. Once the "*_answer.txt" files are created, I would recommend reviewing and updating as required. 

 

 

  

### Run under Linux
### https://two-oes.medium.com/working-with-openssl-and-dns-alternative-names-367f06a23841

export DOMAIN="acsname.com"
export SHORT_NAME="wildcard"
export rsabits=2048

# This defines how long the cert is valid for. This can be redefined, but I personally keep it at 365 days.
# Since this requires renewing, and not regenerating, this script is only useful for the initial generation, or re-creating the
# entire thing, if you feel like it.
export certValidityDays=3650


## for the server
cat > ${SHORT_NAME}_answer.txt << EOF
[req]
default_bits = ${rsabits}
prompt = no
default_md = sha256
x509_extensions = req_ext
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=CA
ST=Ontario
L=Kanata
O=Joe Avelar
OU=Server
[email protected]
CN = ${SHORT_NAME}.${DOMAIN}

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = *.${SHORT_NAME}
#DNS.2 = ${SHORT_NAME}.${DOMAIN}
#DSN.3 = ???
EOF


## For the Root CA. 
cat > csr_ca.txt << EOF
[req]
default_bits = ${rsabits}
prompt = no
default_md = sha256
distinguished_name = dn 
x509_extensions = usr_cert

[ dn ]
C=CA
ST=Ontario
L=Kanata
O=Joe Avelar
OU=Root
[email protected]
CN = Joe Avelar

[ usr_cert ]
basicConstraints=CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer 
EOF



#CA certificate and Key
#Generate the Key:

openssl genrsa -out ca.key ${rsabits}

# Generate the CA
openssl req -new -x509 -key ca.key -days ${certValidityDays} -out ca.crt -config csr_ca.txt 


#Generate Server Key
#Same as we done for the CA , we are generating an RSA key with the length of 2048 chars.
openssl genrsa -out ${SHORT_NAME}.key ${rsabits}


#Generate Server CSR
#Now we will generate the certificate request using the domain Key and the domain answer file which we created in the beginning of the this tutorial.
openssl req -new -key ${SHORT_NAME}.key -out ${SHORT_NAME}.csr -config ${SHORT_NAME}_answer.txt 

#It is a very good practice at this point to Test the CSR for DNS alternative names :
openssl req -in ${SHORT_NAME}.csr -noout -text | grep DNS 


#Sign the Certificate Signing Request (CSR) for the servere:
#now comes the tricky part , we need to tell the CA to use the “altrnames” we setup in the answer file but we need to tell it which section to look at for the values we need so we are going to add 2 more arguments for this purpose.

# use new CA
openssl x509 -req -in ${SHORT_NAME}.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out ${SHORT_NAME}.crt -days ${certValidityDays} -extensions 'req_ext' -extfile ${SHORT_NAME}_answer.txt

# use the existing CA
# openssl x509 -req -in ${SHORT_NAME}.csr -CA CA/ca.crt -CAkey CA/ca.key -CAcreateserial -out ${SHORT_NAME}.crt -days ${certValidityDays} -extensions 'req_ext' -extfile ${SHORT_NAME}_answer.txt

#Certificate bundle
#In some cases it is a good practice to join the certificate and the CA into a single file (not all servers has a CA configuration options).

mv ${SHORT_NAME}.crt ${SHORT_NAME}-certonly.crt
cat ${SHORT_NAME}-certonly.crt ca.crt > ${SHORT_NAME}.crt

## This is for Pi-Hole
cat ${SHORT_NAME}.key ${SHORT_NAME}-certonly.crt | tee combined.pem


cat ${SHORT_NAME}.crt > ${SHORT_NAME}.pem
cat ${SHORT_NAME}.key > ${SHORT_NAME}_key.pem

 

Edited by Joe Avelar
Fixed a type for 3rd point on item 4.
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing