1. Information

  • CA = Certifying Authority

2. Root CA Certificate

2.1. Create

  • Make sure to use openssl version 3.0 or later.

  • Linux: Run sudo apt-get install openssl to get the openssl command.

  • Windows: Install Git for Windows to get the openssl.exe command and add C:\Program Files\Git\usr\bin to the Path system environment variable.

  • Type openssl version to check the openssl version.

    Contents of the SMRU-Root-CA.cnf file. 
    [ ca ]
default_ca              = ca_default

[ ca_default ]

[ req ]
distinguished_name      = req_distinguished_name
req_extensions          = v3_req
x509_extensions         = usr_cert
prompt                  = no

[ req_distinguished_name ]
countryName             = TH
stateOrProvinceName     = Tak
localityName            = Mae Ramat
organizationName        = SMRU/TBHF
organizationalUnitName  = IT Department
# Use "_" at the start of the common name to make it show up first.
commonName              = _SMRU Root CA
emailAddress            = smru-it@shoklo-unit.com

[ usr_cert ]
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always
basicConstraints        = critical,CA:TRUE

  • Enter the following commands at a Command Line or a Command Prompt.

    # Generate RSA private key.
openssl genrsa -aes256 -out SMRU-Root-CA.key 4096
        # Enter the certificate level 1 password and press Enter.
        # Enter the certificate level 1 password and press Enter.

# Generate a public CA certificate.
openssl req -config SMRU-Root-CA.cnf -days 36524 -new -sha256 -x509 -key SMRU-Root-CA.key -out SMRU-Root-CA.pem
        # Enter the certificate level 1 password and press Enter.

# Optional: View contents.
openssl x509 -noout -text -in SMRU-Root-CA.pem

  • Store the SMRU-Root-CA.key file in KeePass Password manager.

  • Store the SMRU-Root-CA.pem file in KeePass Password manager.

  • Move the SMRU-Root-CA.key file to the T:\IT\Helpdesk\X509 Certificates folder.

  • Move the SMRU-Root-CA.pem file to the T:\IT\Helpdesk\X509 Certificates folder.

  • Make sure all .key and .pem files on the computer are deleted.

2.2. Deploy

2.2.1. Linux

  • Log in as smru on the tbhf-ops-mrm server.

  • Enter the following commands at a Command Line.

    sudo cp -a "/media/Teams/IT/Helpdesk/X509 Certificates/All/SMRU-Root-CA.pem" /usr/local/share/ca-certificates/SMRU-Root-CA.crt
# Make sure to remove any previous certificates.
sudo update-ca-certificates
    2024-05-28 08:03:25 smru@tbhf-ops-mrm ~$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
15 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
Processing triggers for ca-certificates-java (20230710~deb12u1) ...
Adding debian:SMRU-Root-CA.pem
Replacing debian:smru-sfw-hph_CA.pem
Replacing debian:smru-sfw-mkt_CA.pem
Replacing debian:smru-sfw-mku_CA.pem
Replacing debian:smru-sfw-msl_CA.pem
Replacing debian:smru-sfw-mst_CA.pem
Replacing debian:smru-sfw-skk_CA.pem
Replacing debian:smru-sfw-wpa_CA.pem
Replacing debian:smru-sfw-hph_CA.pem
Replacing debian:smru-sfw-mkt_CA.pem
Replacing debian:smru-sfw-mku_CA.pem
Replacing debian:smru-sfw-msl_CA.pem
Replacing debian:smru-sfw-mst_CA.pem
Replacing debian:smru-sfw-skk_CA.pem
Replacing debian:smru-sfw-wpa_CA.pem
done.
done.
    # List installed certificates for openssl 1.1.0 and lower.
openssl crl2pkcs7 -nocrl -certfile /etc/ssl/certs/ca-certificates.crt | openssl pkcs7 -print_certs -text -noout | grep Subject:

# List installed certificates for openssl 1.1.1 and higher.
openssl storeutl -noout -text -certs /etc/ssl/certs/ca-certificates.crt | grep Subject:

2.2.2. Windows

  • Enter the following commands at a Command Prompt with Administrative privileges.

    certutil.exe -addstore root "T:\IT\Helpdesk\X509 Certificates\SMRU-Root-CA.pem"

  • Add Friendly name.

    • Type certmgr.msc in a Command Prompt with Administrative privileges.

    • Select Certificates - Current User > Trusted Root Certification Authorities > Certificates.

    • Right-click the _SMRU Root CA certificate and select Properties.

    • Type the friendly name in the Friendly name field.

    • Click Apply.

    • Click OK.

3. Intermediate CA Certificate

4. Certificate Revocation Lists

4.1. Create

[ server_cert ]
# ... snipped ...
crlDistributionPoints = URI:http://example.com/intermediate.crl.pem

  • Enter the following commands at a Command Line or a Command Prompt.

    openssl ca -config intermediate/openssl.cnf -gencrl -out intermediate/crl/intermediate.crl.pem
openssl ca -config intermediate/openssl.cnf -gencrl -out smru-crl.pem

# Optional: View contents.
openssl crl -in intermediate/crl/intermediate.crl.pem -noout -text

# Revoke a Certificate.
openssl ca -revoke newcerts/username.pem
openssl ca -gencrl -out smru-crl.pem

4.2. Deploy

4.2.1. Linux

  • Log in as smru on the tbhf-ops-mrm server.

  • Enter the following commands at a Command Line.

    sudo cp -a "/media/Teams/IT/Helpdesk/X509 Certificates/All/crl.pem" /var/www/html

4.2.2. Windows

  • Todo:

4.3. Revoke

5. Server Certificates

5.1. Create

  • Enter the following commands at a Command Line or a Command Prompt.

    # Generate RSA private key.
openssl genrsa -aes256 -out SMRU-APC-UPS.key 4096
openssl genrsa -aes256 -out SMRU-Commscope-Ruckus-Access-Point.key 4096
openssl genrsa -aes256 -out SMRU-HPE-Aruba-Switch.key 4096
openssl genrsa -aes256 -out SMRU-ManageEngine-Endpoint-Central.key 4096
openssl genrsa -aes256 -out SMRU-Simple-Web-Server.key 4096
openssl genrsa -aes256 -out SMRU-Sophos-Firewall.key 4096
openssl genrsa -aes256 -out SMRU-Ubiquiti-UniFi-Controller.key 4096
openssl genrsa -aes256 -out SMRU-Ubiquiti-Wave.key 4096
openssl genrsa -aes256 -out SMRU-Veeam-Backup-Enterprise-Manager.key 4096
        # Enter the certificate level 2 password and press Enter.
        # Enter the certificate level 2 password and press Enter.

# Generate certificate signing request.
# Use "_" at the start of the common name to make it show up first.
openssl req -new -sha256 -subj "/CN=_SMRU-APC-UPS certificate" -key SMRU-APC-UPS.key -out SMRU-APC-UPS.csr
openssl req -new -sha256 -subj "/CN=_SMRU-Commscope-Ruckus-Access-Point certificate" -key SMRU-Commscope-Ruckus-Access-Point.key -out SMRU-Commscope-Ruckus-Access-Point.csr
openssl req -new -sha256 -subj "/CN=guest.xxx.yyy.com" -key SMRU-Commscope-Ruckus-Access-Point.key -out SMRU-Commscope-Ruckus-Access-Point.csr
openssl req -new -sha256 -subj "/CN=172.16.16.20" -key SMRU-Commscope-Ruckus-Access-Point.key -out SMRU-Commscope-Ruckus-Access-Point.csr
openssl req -new -sha256 -subj "/CN=_SMRU-HPE-Aruba-Switch certificate" -key SMRU-HPE-Aruba-Switch.key -out SMRU-HPE-Aruba-Switch.csr
openssl req -new -sha256 -subj "/CN=_SMRU-ManageEngine-Endpoint-Central certificate" -key SMRU-ManageEngine-Endpoint-Central.key -out SMRU-ManageEngine-Endpoint-Central.csr
openssl req -new -sha256 -subj "/CN=_SMRU-Simple-Web-Server certificate" -key SMRU-Simple-Web-Server.key -out SMRU-Simple-Web-Server.csr
openssl req -new -sha256 -subj "/CN=_SMRU-Sophos-Firewall certificate" -key SMRU-Sophos-Firewall.key -out SMRU-Sophos-Firewall.csr
openssl req -new -sha256 -subj "/CN=_SMRU-Ubiquiti-UniFi-Controller certificate" -key SMRU-Ubiquiti-UniFi-Controller.key -out SMRU-Ubiquiti-UniFi-Controller.csr
openssl req -new -sha256 -subj "/CN=_SMRU-Ubiquiti-Wave certificate" -key SMRU-Ubiquiti-Wave.key -out SMRU-Ubiquiti-Wave.csr
openssl req -new -sha256 -subj "/CN=_SMRU-Veeam-Backup-Enterprise-Manager certificate" -key SMRU-Veeam-Backup-Enterprise-Manager.key -out SMRU-Veeam-Backup-Enterprise-Manager.csr
        # Enter the certificate level 2 password and press Enter.

# Optional: View contents.
openssl req -noout -text -in SMRU-APC-UPS.csr
openssl req -noout -text -in SMRU-Commscope-Ruckus-Access-Point.csr
openssl req -noout -text -in SMRU-HPE-Aruba-Switch.csr
openssl req -noout -text -in SMRU-ManageEngine-Endpoint-Central.csr
openssl req -noout -text -in SMRU-Simple-Web-Server.csr
openssl req -noout -text -in SMRU-Sophos-Firewall.csr
openssl req -noout -text -in SMRU-Ubiquiti-UniFi-Controller.csr
openssl req -noout -text -in SMRU-Ubiquiti-Wave.csr
openssl req -noout -text -in SMRU-Veeam-Backup-Enterprise-Manager.csr
    Contents of the SMRU-APC-UPS.cnf file. 
    extendedKeyUsage = serverAuth
subjectAltName = @alt_section

[alt_section]
DNS.01 = SMRU-APC01
DNS.02 = SMRU-APC02
DNS.03 = SMRU-APC03
DNS.04 = SMRU-APC04
DNS.05 = SMRU-APC05
DNS.06 = TBHF-APC06
DNS.07 = TBHF-APC07
DNS.08 = TBHF-APC08
IP.01 = 10.10.1.27
IP.02 = 10.10.1.28
IP.03 = 10.10.1.29
IP.04 = 10.10.1.30
IP.05 = 10.10.1.31
IP.06 = 10.10.1.231
IP.07 = 10.10.1.232
IP.08 = 10.10.1.233
    Contents of the SMRU-Commscope-Ruckus-Access-Point.cnf file. 
    [server_cert]
crlDistributionPoints=URI:http://10.10.1.4/crl.pem
extendedKeyUsage = serverAuth
subjectAltName = @alt_section

[alt_section]
DNS.01 = AP-MGMT-IFACE
DNS.02 = AP-188-01-MRM
DNS.03 = AP-188-02-MRM
DNS.04 = AP-188-03-MRM
DNS.05 = AP-188-04-MRM
DNS.06 = AP-188-05-MRM
DNS.07 = AP-288-01-MRM
DNS.08 = AP-288-02-MRM
DNS.09 = AP-288-03-MRM
DNS.10 = AP-288-04-MRM
DNS.11 = AP-288-05-MRM
DNS.12 = AP-288-01-MRL
DNS.13 = AP-288-02-MRL
DNS.14 = AP-188-01-MRS
IP.01 = 172.16.16.20
IP.02 = 172.16.16.21
IP.03 = 172.16.16.22
IP.04 = 172.16.16.23
IP.05 = 172.16.16.24
IP.06 = 172.16.16.25
IP.07 = 172.16.16.26
IP.08 = 172.16.16.27
IP.09 = 172.16.16.28
IP.10 = 172.16.16.29
IP.11 = 172.16.16.30
IP.12 = 172.16.16.31
IP.13 = 172.16.16.32
IP.14 = 172.16.16.33
    Contents of the SMRU-HPE-Aruba-Switch.cnf file. 
    extendedKeyUsage = serverAuth
subjectAltName = @alt_section

[alt_section]
DNS.01 = TBHF-SW01-6200F-48G
DNS.02 = TBHF-SW02-6100-48G
DNS.03 = TBHF-SW03-6100-48G
DNS.04 = TBHF-SW04-6100-48G
DNS.05 = TBHF-SW05-6100-48G
DNS.06 = TBHF-SW06-6200F-48G
DNS.07 = SMRU-SW07-2530-48G
DNS.08 = SMRU-SW08-2920-24G
DNS.09 = TBHF-SW09-6000-12G
DNS.10 = TBHF-SW10-2930F-24G
IP.01 = 10.10.1.7
IP.02 = 10.10.1.8
IP.03 = 10.10.1.9
IP.04 = 10.10.1.10
IP.05 = 10.10.1.11
IP.06 = 10.10.1.224
IP.07 = 10.10.1.225
IP.08 = 10.10.1.226
IP.09 = 10.10.1.227
IP.10 = 10.10.1.228
    Contents of the SMRU-ManageEngine-Endpoint-Central.cnf file. 
    extendedKeyUsage = serverAuth
subjectAltName = @alt_section

[alt_section]
DNS.01 = SMRU-MEEC
IP.01 = 10.10.1.14
    Contents of the SMRU-Simple-Web-Server.cnf file. 
    extendedKeyUsage = serverAuth
subjectAltName = @alt_section

[alt_section]
DNS.01 = tbhf-ops-mrm
DNS.02 = tbhf-tst-mrm
DNS.03 = TBHFWS-IT01
IP.01 = 10.10.1.4
IP.02 = 10.10.1.5
IP.03 = 10.10.1.95
    Contents of the SMRU-Sophos-Firewall.cnf file. 
    extendedKeyUsage = serverAuth
subjectAltName = @alt_section

[alt_section]
DNS.01 = smru-sfw-mrm.smru.shoklo-unit.com
DNS.02 = smru-sfw-mrh.smru.shoklo-unit.com
DNS.03 = smru-sfw-tst.smru.shoklo-unit.com
DNS.04 = smru-sfw-mkt.smru.shoklo-unit.com
DNS.05 = smru-sfw-mla.smru.shoklo-unit.com
DNS.06 = smru-sfw-wpa.smru.shoklo-unit.com
DNS.07 = smru-sfw-msl.smru.shoklo-unit.com
DNS.08 = smru-sfw-hph.smru.shoklo-unit.com
DNS.09 = smru-sfw-skk.smru.shoklo-unit.com
DNS.10 = smru-sfw-mku.smru.shoklo-unit.com
IP.01 = 10.10.1.170
IP.02 = 10.20.1.170
IP.03 = 10.30.1.170
IP.04 = 192.168.25.170
IP.05 = 192.168.26.170
IP.06 = 192.168.27.170
IP.07 = 192.168.28.170
IP.08 = 192.168.29.170
IP.09 = 192.168.30.170
IP.10 = 192.168.31.170
IP.11 = 172.16.16.16
    Contents of the SMRU-Ubiquiti-UniFi-Controller.cnf file. 
    extendedKeyUsage = serverAuth
subjectAltName = @alt_section

[alt_section]
DNS.01 = TBHF-OPS-MRM
IP.01 = 10.10.1.4
    Contents of the SMRU-Ubiquiti-Wave.cnf file. 
    extendedKeyUsage = serverAuth
subjectAltName = @alt_section

[alt_section]
DNS.01 = UBNT-e4:38:83:30:d3:83
DNS.02 = UBNT-60:22:32:5f:82:e2
IP.01 = 192.168.0.253
IP.02 = 192.168.0.254
    Contents of the SMRU-Veeam-Backup-Enterprise-Manager.cnf file. 
    extendedKeyUsage = serverAuth
subjectAltName = @alt_section

[alt_section]
DNS.01 = S-VPLUS01
IP.01 = 10.10.1.24

  • Enter the following commands at a Command Line with root privileges.

    # Sign certificate with Private CA key.
openssl x509 -days 36524 -req -sha256 -CA SMRU-Root-CA.pem -CAcreateserial -CAkey SMRU-Root-CA.key -in SMRU-APC-UPS.csr -out SMRU-APC-UPS.pem -extfile SMRU-APC-UPS.cnf
openssl x509 -days 36524 -req -sha256 -CA SMRU-Root-CA.pem -CAcreateserial -CAkey SMRU-Root-CA.key -in SMRU-Commscope-Ruckus-Access-Point.csr -out SMRU-Commscope-Ruckus-Access-Point.pem -extfile SMRU-Commscope-Ruckus-Access-Point.cnf
openssl x509 -days 36524 -req -sha256 -CA SMRU-Root-CA.pem -CAcreateserial -CAkey SMRU-Root-CA.key -in SMRU-HPE-Aruba-Switch.csr -out SMRU-HPE-Aruba-Switch.pem -extfile SMRU-HPE-Aruba-Switch.cnf
openssl x509 -days 36524 -req -sha256 -CA SMRU-Root-CA.pem -CAcreateserial -CAkey SMRU-Root-CA.key -in SMRU-ManageEngine-Endpoint-Central.csr -out SMRU-ManageEngine-Endpoint-Central.pem -extfile SMRU-ManageEngine-Endpoint-Central.cnf
openssl x509 -days 36524 -req -sha256 -CA SMRU-Root-CA.pem -CAcreateserial -CAkey SMRU-Root-CA.key -in SMRU-Simple-Web-Server.csr -out SMRU-Simple-Web-Server.pem -extfile SMRU-Simple-Web-Server.cnf
openssl x509 -days 36524 -req -sha256 -CA SMRU-Root-CA.pem -CAcreateserial -CAkey SMRU-Root-CA.key -in SMRU-Sophos-Firewall.csr -out SMRU-Sophos-Firewall.pem -extfile SMRU-Sophos-Firewall.cnf
openssl x509 -days 36524 -req -sha256 -CA SMRU-Root-CA.pem -CAcreateserial -CAkey SMRU-Root-CA.key -in SMRU-Ubiquiti-UniFi-Controller.csr -out SMRU-Ubiquiti-UniFi-Controller.pem -extfile SMRU-Ubiquiti-UniFi-Controller.cnf
openssl x509 -days 36524 -req -sha256 -CA SMRU-Root-CA.pem -CAcreateserial -CAkey SMRU-Root-CA.key -in SMRU-Ubiquiti-Wave.csr -out SMRU-Ubiquiti-Wave.pem -extfile SMRU-Ubiquiti-Wave.cnf
openssl x509 -days 36524 -req -sha256 -CA SMRU-Root-CA.pem -CAcreateserial -CAkey SMRU-Root-CA.key -in SMRU-Veeam-Backup-Enterprise-Manager.csr -out SMRU-Veeam-Backup-Enterprise-Manager.pem -extfile SMRU-Veeam-Backup-Enterprise-Manager.cnf
        # Type the certificate level 1 password and press Enter.

# Optional: View contents.
openssl x509 -noout -text -in SMRU-APC-UPS.pem
openssl x509 -noout -text -in SMRU-Commscope-Ruckus-Access-Point.pem
openssl x509 -noout -text -in SMRU-HPE-Aruba-Switch.pem
openssl x509 -noout -text -in SMRU-ManageEngine-Endpoint-Central.pem
openssl x509 -noout -text -in SMRU-Simple-Web-Server.pem
openssl x509 -noout -text -in SMRU-Sophos-Firewall.pem
openssl x509 -noout -text -in SMRU-Ubiquiti-UniFi-Controller.pem
openssl x509 -noout -text -in SMRU-Ubiquiti-Wave.pem
openssl x509 -noout -text -in SMRU-Veeam-Backup-Enterprise-Manager.pem

# Optional: Show all generated files.
dir SMRU-*

# Store certificates.
copy SMRU-APC-UPS.pem                                "T:\IT\Helpdesk\X509 Certificates"
copy SMRU-Commscope-Ruckus-Access-Point.pem          "T:\IT\Helpdesk\X509 Certificates"
copy SMRU-HPE-Aruba-Switch.pem                       "T:\IT\Helpdesk\X509 Certificates"
copy SMRU-ManageEngine-Endpoint-Central.pem          "T:\IT\Helpdesk\X509 Certificates"
copy SMRU-Simple-Web-Server.pem                      "T:\IT\Helpdesk\X509 Certificates"
copy SMRU-Sophos-Firewall.pem                        "T:\IT\Helpdesk\X509 Certificates"
copy SMRU-Ubiquiti-UniFi-Controller.pem              "T:\IT\Helpdesk\X509 Certificates"
copy SMRU-Ubiquiti-Wave.pem                          "T:\IT\Helpdesk\X509 Certificates"
copy SMRU-Veeam-Backup-Enterprise-Manager.pem        "T:\IT\Helpdesk\X509 Certificates"

copy SMRU-APC-UPS.key                                "T:\IT\Helpdesk\X509 Certificates"
copy SMRU-APC-UPS.insecure.key                       "T:\IT\Helpdesk\X509 Certificates"
copy SMRU-Commscope-Ruckus-Access-Point.key          "T:\IT\Helpdesk\X509 Certificates"
copy SMRU-Commscope-Ruckus-Access-Point.insecure.key "T:\IT\Helpdesk\X509 Certificates"
copy SMRU-HPE-Aruba-Switch.key                       "T:\IT\Helpdesk\X509 Certificates"
copy SMRU-ManageEngine-Endpoint-Central.key          "T:\IT\Helpdesk\X509 Certificates"
copy SMRU-Simple-Web-Server.key                      "T:\IT\Helpdesk\X509 Certificates"
copy SMRU-Sophos-Firewall.key                        "T:\IT\Helpdesk\X509 Certificates"
copy SMRU-Ubiquiti-UniFi-Controller.key              "T:\IT\Helpdesk\X509 Certificates"
copy SMRU-Ubiquiti-Wave.key                          "T:\IT\Helpdesk\X509 Certificates"
copy SMRU-Ubiquiti-Wave.insecure.key                 "T:\IT\Helpdesk\X509 Certificates"
copy SMRU-Veeam-Backup-Enterprise-Manager.key        "T:\IT\Helpdesk\X509 Certificates"

  • Make sure all .key and .pem files on the computer are deleted.

5.2. Deploy

5.3. Test

5.3.1. Linux

  • Log in as smru on the tbhf-ops-mrm server.

  • Contents of the simple-https-server-python3.py file.

    import http.server
import ssl

#server_address = ('localhost', 4443)
#server_address = ('', 4443)
server_address = ('', 8000)
#server_address = ('', 443)
httpd = http.server.HTTPServer(server_address, http.server.SimpleHTTPRequestHandler)
ctx = ssl.SSLContext(protocol=ssl.PROTOCOL_TLS_SERVER)
#ctx.load_cert_chain(certfile="server.pem", keyfile="key.pem")
ctx.load_cert_chain(certfile="SMRU-Simple-Web-Server.pem", keyfile="SMRU-Simple-Web-Server.key")
httpd.socket = ctx.wrap_socket(httpd.socket, server_side=True)
httpd.serve_forever()

  • Enter the following commands at a Command Line with root privileges.

    scp -p Administrator@TBHFWS-IT01:SMRU-Simple-Web-Server.key .
scp -p Administrator@TBHFWS-IT01:SMRU-Simple-Web-Server.pem .
python3 simple-https-server-python3.py

  • Browse to https://10.10.1.4:8000 from a Windows computer.

  • Browse to https://tbhf-ops-mrm:8000 from a Windows computer.

  • Works for Google Chrome, Microsoft Edge and Mozilla Firefox.

5.3.2. Windows

$Result = Import-Certificate -CertStoreLocation Cert:\LocalMachine\My -FilePath "SMRU-Simple-Web-Server.pem"

# Start simple web server.
Start-SimpleWebServer -Https -Port 8000 -ThumbPrint $Result.ThumbPrint