On 03/05/18 06:34, Nicolas Kovacs wrote:> Le 05/03/2018 ? 13:30, Nux! a ?crit : >> You could probably just drop your CA cert in the filesystem and run a >> couple of commands to get it imported, rather than having to import >> the CA in the browsers individually. You could probably deliver it >> via yum/rpm or better yet, ansible or even some shell script. > > I will have to use this in environments with mainly Windows, OS X and > iOS clients. I'm still thinking about how to do this, but I guess I'll > just setup a local web page on the server, with a link to download the > certificate file and short instructions on how to install it on the most > common browsers (Internet Explorer, Edge, Firefox, Chrome, Safari, ...).Sorry, I missed the beginning of this thread. This sounds to me like running one's own Certification Authority. I did that a while ago for over a decade. However, these days one may consider https://letsencrypt.org/ - you will have to run web server to have certificate signed by them, but pointing other services to use that same certificate/secret key pair will work. Just my $0.02 Valeri> > Niki >-- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Once upon a time, Valeri Galtsev <galtsev at kicp.uchicago.edu> said:> https://letsencrypt.org/ > > - you will have to run web server to have certificate signed by > themNot necessarily - we do most of our Let's Encrypt validation with DNS rather than HTTP. -- Chris Adams <linux at cmadams.net>
The certificate should have *CA:true* set for act a CA for dynamic signing certificates by Squid. Most probably, Let's Encrypt will ignore this constraint in CSR. 2018-03-05 12:33 GMT-03:00 Chris Adams <linux at cmadams.net>:> Once upon a time, Valeri Galtsev <galtsev at kicp.uchicago.edu> said: > > https://letsencrypt.org/ > > > > - you will have to run web server to have certificate signed by > > them > > Not necessarily - we do most of our Let's Encrypt validation with DNS > rather than HTTP. > -- > Chris Adams <linux at cmadams.net> > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
Le 05/03/2018 ? 16:30, Valeri Galtsev a ?crit?:> Sorry, I missed the beginning of this thread. This sounds to me like > running one's own Certification Authority. I did that a while ago for > over a decade. However, these days one may consider > > https://letsencrypt.org/ > > - you will have to run web server to have certificate signed by them, > but pointing other services to use that same certificate/secret key pair > will work.I do use LetsEncrypt for all my public certificates. But I can't use it on a local machine with a hostname like server.company.lan. This is simply not possible. Niki -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32
On 03/05/18 10:21, Nicolas Kovacs wrote:> Le 05/03/2018 ? 16:30, Valeri Galtsev a ?crit?: >> Sorry, I missed the beginning of this thread. This sounds to me like >> running one's own Certification Authority. I did that a while ago for >> over a decade. However, these days one may consider >> >> https://letsencrypt.org/ >> >> - you will have to run web server to have certificate signed by them, >> but pointing other services to use that same certificate/secret key pair >> will work. > > I do use LetsEncrypt for all my public certificates. But I can't use it > on a local machine with a hostname like server.company.lan. This is > simply not possible.Yes, it is not. They do verify on publicly accessible server that that host is the one you have assess to, and certainly no CA authority will sign certificate for private address space. I missed the beginning of the thread which was edited away from what I was replying to... Valeri> > Niki >-- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++