Some of you might have a Lab-In-A-Box environment and/or want to use the local windows server for certificate maintenance like I do. Nearly all of my certs are certified by the windows domain CA, even if I have a registration authority (RA) on my PAN firewall - I only use it for local services like GP and others.
While I want (and with Rome [8.0] I have) to use a trusted certificate with the nginx webserver (on the minemeld box), I want additional DNS entries and an IP address in the subject - for convenience and to fulfill some dependencies of Rome. Think about CNAME and "domain search". Don't you want to use "https://minemeld" instead of "https://minemeld.servers.yourdomain.local" and have a valid connection with a valid certificate?
I use to answer cert-requests via the web-GUI on my AD server (https://my-server.mydomain.local/certsrv). But setting up the server is a completely other beast!
Your Windows CA server (2012 in my case) has to support alternative DNS-entries. Prepare your Windows Authority to support certificates with alternative names:
On your Windows Domain and Certificate Server login as Administrator, open a cmd window and paste the following:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
Restart your Certificate Authority. In services restart "Active Directory Certificate Services”.
Now you have to create a Private Key and a Certificate Signing Request (CSR) on your minemeld box, then sign the request in your windows CA (via web-gui), copy the sigend certificate to your minemeld box, create a .pem file on the minemeld box and finally copy the .cer and .pem to the right location. I will go through it step by step (it's up to you transfering files to or from your minemeld server, but I recommend using 'scp' or other tools like putty, SecureCrt or others).
Create a Certificate Signing Request:
Become root on your minemeld server after login as ubuntu:
$ su - or
$ sudo bash
Create a private key:
# openssl genrsa -aes256 -out minemeld.key 2048
- Enter your passphrase
Create a CSR (certificate signing request) - of course you will replace the values with your own:
# openssl req -new -key minemeld.key -sha256 -nodes -subj '/C=DE/ST=NRW/L=Duesseldorf/O=Klauzi Private/OU=Admin Team/CN=minemeld.servers.klauzi.local/emailAddress=admin@klauzi.local' > minemeld.csr
- Enter your pass phrase for the private key (minemeld.key)
# cat minemeld.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIC6zCCAdMCAQAwgaUxCzAJBgNVBAYTAkRFMQwwCgYDVQQIDANOUlcxEDAOBgNV
BAcMB0hvZXh0ZXIxFjAUBgNVBAoMDUtsYXVzIFByaXZhdGUxEzARBgNVBAsMCkFk
bWluIFRlYW0xJjAkBgNVBAMMHW1pbmVtZWxkLnNlcnZlcnMua2xhdXppLmxvY2Fs
MSEwHwYJKoZIhvcNAQkBFhJhZG1pbkBrbGF1emkubG9jYWwwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCsY+cka1aODaNJIZ9ft4DcGUZCQXQjXdG9U+C2
pisXaXHdYHkdpmOSWqWmxIAlIIDjVITjvnviO/g7yEIaY6HR4EBdFKcZU7Tqh0Ze
ojFoCiZVy+MQiXFfxhM1GhIeN4mIm1CxNig5aKkj5uitmyqtb/bMK1QDCxA5kUUG
/PLV1okaMCB8hboV4q/4UrjO99OkFEdWGn7z1p+GJ5G7Tkpp2ml4Rw6ltT4iCmrZ
0nLFz7fGaFNz8fCZ4/NMVkiJxqaJfjrBtHnnpBXXpx5BYhBXOgUOGzIh/D9Dpfol
BW1I3yfNuN1vwnSq+AfFgixf2mYdzTUHsCtMk++9v3kUKeCzAgMBAAGgADANBgkq
hkiG9w0BAQsFAAOCAQEAZWkORNHiNu7rkQ/tJ6yvbsZ5f6lom360KuT1IgZoKgcq
ibkumHeB/t4AWMSqMiAxELkPXVzmLcs1dPoUQp72iacCCRoE8Ch/XjXXF0bOM0Pg
zn8CM1zAESuv7Iny7X/3gPcfBrPB1pJkn1VSa7Zxl0egQbCmLxbYqRcTxY9oJjjt
mlB/u7iHPSP1Vpnr8wMOhOrRlJ2tKz9dDiMn1cxbz7CABmon/4Ocl+IDO1bb6x3B
9cYL7gty1WOe/hI9V/SIG1HDfqyFc31HPHcoUh+KzUoRGMuaCYHrqSAxTgre95XY
NKjgCBKgaQIl5NT4UWVHup+wr0yH5Z4C0H13Go5geA==
-----END CERTIFICATE REQUEST-----
You will have to copy the whole output of the "cat" command to paste it into the windows certificate signing request dialog.
Sign your CSR:
Open your CA webgui: https://your-ad-server/certsrv, <click> on "Request a certificate", <click> on "advanced certificate request".
Paste your output from above in the edit box "Saved request", chose "Web Server" as template and edit "Attributes". The string in the "Attributes: edit window" has to be something like: san:parameter=value¶meter=value¶meter=value
san:ipaddress=192.168.5.20&dns=192.168.5.20&dns=minemeld.klauzi.local&dns=minemeld
Submit and chose "(x) Base 64 encoded" in the next screen before "Download certificate". Save it as minemeld.cer"
Install your certificate on your minemeld box:
Copy the file "minemeld.cer" to your minemeld box via "scp" (or other tool) to your ubuntu account:
$ scp minemeld.cer ubuntu@<ip.add.re.ss>:
On your minemeld box you should now have three minemeld.* files:
- minemeld.key
- minemeld.csr
- minemeld.cer
Next steps are creating a .pem file and copy the files to the nginx config directory and restart the server:
Create .pem file: # openssl rsa -in minemeld.cer -in minemeld.key -out minemeld.pem
- Enter your pass phrase
Backup your files: # cp /etc/ngnix/minemeld.cer /etc/nginx/minemeld.cer.orig # cp /etc/nginx/minemeld.pem /etc/nginx/minemeld.pem.orig
Copy the new files to "/etc/nginx/":
# cp minemeld.pem minemeld.cer /etc/nginx/
Restart nginx server:
# /etc/init.d/nginx restart
That should make it!
... View more