Tag: ssl

Posted on

Create a Self-Signed SSL Certificate on Windows

You can create a self-signed certificate using PowerShell.

  1. Open PowerShell as Administrator.
  2. Run this command to create a new self-signed cert and export the key and certificate as .pem files:
powershellCopyEdit# Define file paths
$certPath = "C:\Users\<YourUser>\bolt-certs"
New-Item -ItemType Directory -Path $certPath -Force

# Create self-signed cert
$cert = New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation "cert:\LocalMachine\My"

# Export certificate (public part)
Export-Certificate -Cert $cert -FilePath "$certPath\cert.pem"

# Export private key as PFX
$pfxPath = "$certPath\cert.pfx"
$password = ConvertTo-SecureString -String "YourStrongPassword" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath $pfxPath -Password $password
  1. Convert the .pfx file to .key and .pem files (Docker usually wants .key and .crt or .pem separately).
    You can do this using OpenSSL (if you have it installed, e.g., via Git Bash or [WSL]):
bashCopyEdit# Navigate to cert folder (adjust path)
cd /c/Users/<YourUser>/bolt-certs

# Extract key
openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes -password pass:YourStrongPassword

# Extract cert
openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem -password pass:YourStrongPassword
Posted on

SSL pour le home lab

https://myhomelab.gr/linux/2019/12/13/local-ca-setup.html

Mon domain : daisy-street.fr

Pihole

configuration du dns pihole 192.168.1.50

Renvoyer les serveurs sur le dns/dhcp pihole

nano /etc/netplan/00-installer-config.yaml
nano /etc/resolv.conf
nano /etc/hostname

Installer traefik

docker-compose.yml

Generer password traefik

sudo apt install apache2-utils
echo $(htpasswd -nb <USER> <PASSWORD>) | sed -e s/\\$/\\$\\$/g

    volumes:
      - /SystemSvg/VM_109/traefik/data/traefik.yml:/traefik.yml:ro
      - /SystemSvg/VM_109/traefik/data/acme.json:/acme.json
      - /SystemSvg/VM_109/traefik/data/config.yml:/config.yml:ro
    labels:
      - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.local.daisy-street.fr`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=<USER>:<HASHED-PASSWORD>"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.local.daisy-street.fr`)"

Configurer SSL

openssl genrsa -des3 -out root.key 2048
david@legion2:/SystemSvg/clersa$ openssl req -x509 -new -nodes -key root.key -sha256 -days 7200 -out root.pem
Enter pass phrase for root.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:Hauts-de-Seine
Locality Name (eg, city) []:Antony
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Homelab
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:DaisyStreet HomeLab Authority
Email Address []:
david@legion2:/SystemSvg/clersa$

openssl genrsa -out wildcard.homelab.home.key 2048
nano opensslsan.cnf

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = FR
ST = Hauts-de-Seine
L = Antony
O = Wildcard Homelab Inc
OU = IT
CN = *.homelab.home
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.homelab.home

openssl req -new -out wildcard.homelab.home.csr \
-key wildcard.homelab.home.key \
-config opensslsan.cnf
openssl x509 -req -in wildcard.homelab.home.csr \
-CA root.pem \
-CAkey root.key \
-CAcreateserial \
-out wildcard.homelab.home.crt \
-days 7200 \
-sha256 \
-extensions v3_req \
-extfile opensslsan.cnf