Skip to main content

SSL Certificates

Managing SSL Certificates

This guide will walk you through the process of creating a custom Certificate Authority (CA) and using it to sign certificates for your internal services. This is useful for securing communication between services in your homelab.

1. Creating a Certificate Authority (CA)

  1. Log in to your Domain Controller's shell.

  2. Generate the CA key:

openssl genrsa -out /root/certs/domain-ca.key 4096
  1. Generate the CA certificate:
openssl req -new -x509 -days 3650 -key /root/certs/domain-ca.key -out /root/certs/domain-ca.crt -subj "/O=Your Homelab/OU=CA/CN=Your Homelab CA" -set_serial 1000

2. Creating a Certificate for your Domain Controller

  1. Create a Subject Alternative Name (SAN) configuration file:
    • Create a file named /root/certs/dc1_san.cnf with the following content. Replace the DNS and IP values with your domain controller's information.
[ req ]
default_bits       = 4096
prompt             = no
default_md         = sha256
distinguished_name = dn
req_extensions     = req_ext

[ dn ]
O  = Your Homelab
OU = AD
CN = dc1.yourdomain.com

[ req_ext ]
subjectAltName = DNS:dc1.yourdomain.com,IP:10.10.10.1
  1. Generate the key and Certificate Signing Request (CSR):
openssl genrsa -out /root/certs/dc1.yourdomain.com.key 4096
openssl req -new -key /root/certs/dc1.yourdomain.com.key -out /root/certs/dc1.yourdomain.com.csr -config /root/certs/dc1_san.cnf
  1. Sign the certificate with your CA:
openssl x509 -req -days 3650 -in /root/certs/dc1.yourdomain.com.csr \
  -CA /root/certs/domain-ca.crt -CAkey /root/certs/domain-ca.key -CAcreateserial \
  -out /root/certs/dc1.yourdomain.com.crt -sha256 \
  -extfile /root/certs/dc1_san.cnf -extensions req_ext

3. Configuring Samba to Use the New Certificate

  1. Copy the certificates to the Samba directory:
cp /root/certs/dc1.yourdomain.com.crt /var/lib/samba/private/tls/myCert.pem
cp /root/certs/dc1.yourdomain.com.key /var/lib/samba/private/tls/myKey.pem
cp /root/certs/domain-ca.crt /var/lib/samba/private/tls/ca.crt
  1. Edit the Samba configuration file (/etc/samba/smb.conf):
    • Add the following lines to the [global] section to enable TLS and point to your certificates:
[global]
	...
	tls enabled = yes
	tls keyfile  = tls/myKey.pem
	tls certfile = tls/myCert.pem
	tls cafile   = tls/ca.crt
	...
  1. Restart the Samba service:
systemctl restart samba-ad-dc

Create a certificate for a service

To create a certificate for a service, you can follow the same process as before. Instead of putting the generated certificate inside samba's tls folder, just place it where your service needs it and edit your reference in your configuration files.

[!IMPORTANT] Self signed certificates are not always accepted by other services as the Certificate Authority is not recognized. To fix this, there are multiple possibilities. The most common being to add the certificate (or trusted chain) to your host's certificates. To do so, upload your pem file to /usr/local/share/ca-certificates and run the update-ca-certificates command.

Next Steps

Now that you have a CA and have secured your domain controller, you can proceed to set up Authelia.

► Authelia

No comments to display

Back to top