Homelab Certificate Authority Guide | Get Rid of TLS Warnings
HTML-код
- Опубликовано: 14 июл 2024
- Create a homelab CA using Vault and configure your servers to trust it.
► Patreon: / thsudo
► Buy Me a Coffee: www.buymeacoffee.com/TheSudo
► $7 PDF Guide: / shop
💻 The bash command to format the CSR, certificates, and private keys:
cat intermediate_csr.pem | sed -E 's/(-+(BEGIN|END) CERTIFICATE-+) *| +/\1
/g'
▬▬▬▬▬▬ R E F E R E N C E S AND LINKS 🔗▬▬▬▬▬▬
► Vault Docs: developer.hashicorp.com/vault...
▬▬▬▬▬▬ What you’ll learn in 50 Minutes ✅ ▬▬▬▬▬▬
► How to install, start, and initialize Vault
► How to create a root and intermediate CA
► How to issue certificates for applications in your lab
► How to configure various operating systems to trust your certificates
► How to configure TLS for Heimdall
▬▬▬▬▬▬ T I M E S T A M P S ⏰ ▬▬▬▬▬▬
00:00 - Intro
01:28 - Is this Video For You?
02:24 - Install Vault
05:08 - Configure and Start Vault
07:20 - Initialize and Unseal Vault
10:20 - Logging into Vault
11:15 - Creating the Root CA
15:24 - Creating the Intermediate CA
18:30 - Clipboard Copy API Error Fix
20:45 - Continuing the Intermediate CA
24:20 - Create A Role to Issue Certificates
30:48 - Issue a Certificate for an Application
36:48 - Configure an Application With the Cert and Key
40:42 - Install the CA certificate on Ubuntu/Debian
45:36 - Install the CA certificate on RHEL/Fedora/CentOS
48:35 - Install the CA certificate on Windows Наука
/ is a FORWARD slash. The backslash is used for CPM/DOS/Windows. Internet services that originated on Unix or similar system use forward slashes or just the slash.
I have a feeling I mixed up my slashes in this video, didn’t I?
Awesome video, thanks!! One thing you missed, though, is that you should not add the intermediate cert as trusted. You should always advise your webserver to send the whole chain. If that's done right, the browser or any other client will be able to validate the whole chain only with the RootCA
The clipboard API is disabled by the browser due to the page not being served over HTTPS.
Why use a VM and not a CT that would save you a lot of resources.
Why not use hostnames rather than IPs as these should be bound if your local DNS is working correctly something like vault.local should work.
Any good cert parser will fully ignore the formating enter spaces etc get ignored. No need to format it with sed.
Cool video. A little bit messy
Very messy and overcomplicated
After all the steps are done, can you go back and generate a cert for Vault? I have vault running in a docker on Unraid
You certainly can. As long as theres no cyclical dependency in which vault requires the cert to operate but you cant get the cert because vault won’t operate. This isn’t an issue to my knowledge.
Nice shirt
🥳
What game is that in the background?
Shadow of Mordor?
Final Fantasy 16
I think you have such subscribers but you are not getting any views