Certificate server PKI
Create a new alpine lxc container with the following specs:
- 32 MB memory
- 2 GB disk
- 32 MB swap
- 1 core cpu
- network
Install packages
To run easycert, we need some extra packages:
- openssl
- edit /etc/ssh/sshd_config and permit logins
Be sure root has a complex password.
On the following page, you can read how it works. EasyRsa manual
download EasyRsa to the /opt directory.
Untar the archive here and rename the directiory to easyrsa.
Now change into the easyrsa directory and run tha following commands to initiate your CA.
./easyrsa init-pki
./easyrsa build-ca
This creates a new ca.crt in the following location:
/opt/easyrsa/pki/ca.crt
Add the certificate to the trust store on hosts that must verify the certificates.
create csr
On the host you want to create a certificate for:
To create a certificate request: Create a directory to create the csr and key in...
mkdir cert
cd cert
openssl req -new -newkey rsa:2048 -nodes -keyout <fqdn>.key -out <fqdn>.csr
copy the generated csr to your certserver into the /opt directory.
Easyrsa doesn't support adding SubjrectAlternativeName in the csr, this extension is not
loaded by default.
This cat be done while signing the request.
See below
import the request in easyrsa
Before signing the CSR, we must import the request into our tooling:
./easyrsa import-req <path to copied csr> <your_loacal_shortname>
```
When the import is successfull, you can sign the request to make a valid certificate.
## Sign the request
Signing a request with easyrsa is done with the command below.
The subject-alt-names are added here..
easyrsa --subject-alt-name='DNS:
Install the certificate as your application requires.