[CentOS] HTTPS certificates (off topic)

Thu Sep 29 15:40:47 UTC 2016
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Wed, September 28, 2016 10:40 pm, John R Pierce wrote:
> On 9/28/2016 5:46 PM, Jerry Geis wrote:
>> How do I get a valid certificate for a box that is behind a firewall and
>> does not have a DNS entry?
>> I was looking at letsencrypt.org but currently it looks like a valid DNS
>> entry is needed, of which I don't have.
>> There is nothing special about my setup, its just a box that is not
>> directly on the internet, no DNS entry but I need HTTPS to run
>> correctly.
>> How do I generate a trusted certificate base on IP or something?
> use most the PKI/SSL tool on the box to generate a certificate signing
> request (CSR), copy this small test file any way you want (copy/paste
> from a terminal session?  put on a USB stick?) and send it to a
> certificate authority, they generate a signed certificate, you bring the
> resulting CRT back and import it back into the server's key store.
> if this is https just for private use, you could run your own private
> root CA, sign your own certificates, it would simply be necessary to
> import your CA's public key into any browser that you want to trust the
> signed private keys.

To add small details to John's explanations:

1. To have valid CA signed Certificate you do have to provide FQDN (Fully
Qualified Domain Name), which should be on real network. In your case,
when you have server behind NAT router with port forwarding it should be
public address of your router. (most CA authorities will also verify if
you are the owner of said domain) As it will be that address that client
from real network will see as your server address.

2. If you only will be accessing server from private IP address space,
then your server doesn't have real FQDN, the best then would be to either
run your own CA as John said, or make self-signed cert, and tell all
clients to trust that.

3. if it bot:h access from public and private IP space, then in addition
to doing 1, you will need to make sure on private IP space the IP of your
server is also resolved as having public FQDN (otherwise clients will
complain that presented certificate doesn't belong to that server).

I hope, this helps.


Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247