HTTPS Certificates (off Topic)

3 thoughts on - HTTPS Certificates (off Topic)

You create a self-signed certificate.

The first time a browser connects, it will give the user a warning. You can suppress that warning when connecting with scripts – either by globally accepting any self-signed certificate or by setting up your own CA that the script tools are scripted to trust.

I believe self-signed work with either IP or with a hostname on your local network.

use most the PKI/SSL tool on the box to generate a certificate signing request (CSR), copy this small test file any way you want (copy/paste from a terminal session? put on a USB stick?) and send it to a certificate authority, they generate a signed certificate, you bring the resulting CRT back and import it back into the server’s key store.

if this is https just for private use, you could run your own private root CA, sign your own certificates, it would simply be necessary to import your CA’s public key into any browser that you want to trust the signed private keys.

To add small details to John’s explanations:

1. To have valid CA signed Certificate you do have to provide FQDN (Fully Qualified Domain Name), which should be on real network. In your case, when you have server behind NAT router with port forwarding it should be public address of your router. (most CA authorities will also verify if you are the owner of said domain) As it will be that address that client from real network will see as your server address.

2. If you only will be accessing server from private IP address space, then your server doesn’t have real FQDN, the best then would be to either run your own CA as John said, or make self-signed cert, and tell all clients to trust that.

3. if it bot:h access from public and private IP space, then in addition to doing 1, you will need to make sure on private IP space the IP of your server is also resolved as having public FQDN (otherwise clients will complain that presented certificate doesn’t belong to that server).

I hope, this helps.

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

Alice Wonder says:

September 28, 2016 at 10:40 pm

You create a self-signed certificate.

The first time a browser connects, it will give the user a warning. You can suppress that warning when connecting with scripts – either by globally accepting any self-signed certificate or by setting up your own CA that the script tools are scripted to trust.

I believe self-signed work with either IP or with a hostname on your local network.
John R says:

September 28, 2016 at 10:41 pm

use most the PKI/SSL tool on the box to generate a certificate signing request (CSR), copy this small test file any way you want (copy/paste from a terminal session? put on a USB stick?) and send it to a certificate authority, they generate a signed certificate, you bring the resulting CRT back and import it back into the server’s key store.

if this is https just for private use, you could run your own private root CA, sign your own certificates, it would simply be necessary to import your CA’s public key into any browser that you want to trust the signed private keys.
Valeri Galtsev says:

September 29, 2016 at 10:41 am

To add small details to John’s explanations:

1. To have valid CA signed Certificate you do have to provide FQDN (Fully Qualified Domain Name), which should be on real network. In your case, when you have server behind NAT router with port forwarding it should be public address of your router. (most CA authorities will also verify if you are the owner of said domain) As it will be that address that client from real network will see as your server address.

2. If you only will be accessing server from private IP address space, then your server doesn’t have real FQDN, the best then would be to either run your own CA as John said, or make self-signed cert, and tell all clients to trust that.

3. if it bot:h access from public and private IP space, then in addition to doing 1, you will need to make sure on private IP space the IP of your server is also resolved as having public FQDN (otherwise clients will complain that presented certificate doesn’t belong to that server).

I hope, this helps.

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

HTTPS Certificates (off Topic)

3 thoughts on - HTTPS Certificates (off Topic)

Recommended

Recent Posts

Recent Comments

Archives

Categories

Meta