Comment

Comment on issues setting up nginx as an https proxy

N0x0n@lemmy.ml ⁨6⁩ ⁨days⁩ ago

(Thanks to darkan15 for explaining that).

I have to look at his answer to have a better understanding :P

The diagram would be useful. Considering that rn I’m losing my mind between man pages.

I’m working on it right now :) I’m a bit overwhelmed with my own LAN setup, and trying to get some feedback from other users :P

As for the book… I can’t accept. Just give me the name/ISBN and I’ll provide myself. Still. Thanks for the offer.

Good. If you have the money to spare please pay for it otherwise you know the drill :) (Myself I’m not able to pay the author so it’s kinda hypocrite on my end… But doing some publicity is also some kind of help I guess?)

Demystifying Cryptography with OpenSSL 3 . 0 by Alexei Khlebnikov <packt>

ISBN: 978-1-80056-034-5

It’s very well written, even as a non-native it was easy to follow :). However, let me give you something along the road, something that will save you hours of looking around the web :) !

Part 5, Chapter 12: Running a mini-CA is the part you’re interested in and that’s the part I used to create my server certificates.

HOWEVER: When he generates the private keys, he uses the ED448 algorithm, which is not going to work for SSL certificates because not a single browser accepts them right now (same thing goes for Curve25519). Long story short, If you don’t want to depend on NIST curves (NSA) fall back to RSA in your homelab ! If you are interested in that story go to p123:

Brainpool curves are proposed by the Brainpool workgroup, a group of cryptographers that were dissatisfied with NIST curves because **NIST curves were not verifiably randomly generated, so they may have intentionally or accidentally weak security. **

Here is a working example for your certificates:

Book:

$ mkdir private
$ chmod 0700 private
$ openssl genpkey \
    -algorithm ED448 \
    -out private/root_keypair.pem

But should be:

$ mkdir private
$ chmod 0700 private
$ openssl genpkey \
    -algorithm RSA \
    -out private/root_keypair.pem

You have to use RSA or whatever curve you prefer but accepted by your browser for EVERY key you generate !

Other than that, it’s a great reading book :) And good study material for cryptography introduction !

source

Sort:hotnew top

brokenlcd@feddit.it ⁨6⁩ ⁨days⁩ ago
i’m not sure if it’s equivalent. but in the meantime i have cobbled up a series of commands from various forums to do the whole process, and i came up with the following openssl commands.

openssl genrsa -out servorootCA.key 4096 openssl req -x509 -new -nodes -key servorootCA.key -sha256 -days 3650 -out servorootCA.pem openssl genrsa -out star.servo.internal.key 4096 openssl req -new -key star.servo.internal.key -out star.servo.internal.csr openssl x509 -req -in star.servo.internal.csr -CA servorootCA.pem -CAkey servorootCA.key -CAcreateserial -out star.servo.internal.crt -days 3650 -sha256 -extfile openssl.cnf -extensions v3_req

with only the crt and key files on the server, while the rest is on a usb stick for keeping them out of the way.

hopefully it’s the same. though i’ll still go through the book out of curiosity… and come to think of it. i do also need to setup calibre :-).

thanks for everything. i’ll have to update the post with the full solution after i’m done, since it turned out to be a lot more messy than anticipated…
source
- N0x0n@lemmy.ml ⁨6⁩ ⁨days⁩ ago
  This is indeed similar ! And looks like a working certificate :) (You even use as .csr file).
  
  The book adds something (Not very useful but kinda neat to have): a certificate revocation setup and an IntermediateCA signed by your rootCA. So you can keep your rootCA out of your system :)
  
  source