Server Certificates - Self Signed and LetsEncrypt Certificates for the LAN
Ғылым және технология
How to use Certificates in the LAN? What are our options? We can use self-signed certificates, but we can also use public Let's Encrypt Certificates LOCALLY - in the LAN. In this video we will look at the options such as self-signed CA and Certificates, Let's Encrypt Server Certificates and Wildcard Certificates
The XCA Tool can be obtained here: hohnstaedt.de/xca/
More Info on my Cheat Sheet Repo here: github.com/onemarcfifty/cheat...
0:00 LAN certificate options
0:49 self-signed CA and Certs
1:42 create a CA with XCA
2:03 create a signed Server certificate
3:07 exporting certificates and keys
4:46 distributing the certificates
7:11 how to use LetsEncrypt certificates in the LAN
9:35 Letsencrypt Wildcard Certificates in the LAN
KZread: / onemarcfifty
Twitter: / onemarcfifty
Discord: / discord
Github: github.com/onemarcfifty
Patreon: / onemarcfifty
Blog: www.onemarcfifty.com
Пікірлер: 54
This should have a ton more likes than it does. Not many on KZread have ever explained it like this before. Great job!
@OneMarcFifty
Жыл бұрын
Hi Brian, that’s very kind - thank you very much
Thanks Marc! The way you explain the thing is excellent!
I love how well you explained everything. Thank you.
Let's Encrypt is a fantastic project! It definitely makes the internet more accessible and secure for hobbyists webmasters. Very good explanation by the way!
@OneMarcFifty
Жыл бұрын
Agreed - and many thanks ;-)
Waoo. The first video that explains me how let’sencrypt ask DNS for verification. This video is for newest like me. Thanks
Very nice and very clear explanation around letsencrypt. Thank you. Deserves a lot more likes.
congratulations for sharing info about certificate transparency program; many people are not aware about it, and some will have a big unpleasant surprise one day (hostnames disclosure, funny "test" dns names etc.)
@OneMarcFifty
Жыл бұрын
Hi Alex, thank you very much - one could probably talk for hours about the impacts and side effects of certificates, TLS, trusts, chains and so on ;-) But when I read about the Cert Transparency, I thought - hmmm ... If you get a cert for host1, host2... then you probably have a host 3 ;-)
Very nicely explained. Thanks a lot for your efforts.
That application/database program I am using ever since, its awesome. Thank you.
Extremely helpful video series, thank you!
His explanations are the best
Very interesting. Especially using a free wildcard cert locally. Thanks a lot!
@OneMarcFifty
Жыл бұрын
Hi, many thanks for the feedback ;-)
I can only confirm my comment on part 1. Good job, Marc.
@OneMarcFifty
Жыл бұрын
MAny thanks Gabriele ;-)
Thank you for this Marc. This is a big help for me :)
@OneMarcFifty
Жыл бұрын
Glad to hear that! Thank you!
I did not realize you can use the wildcard certs like this in LAN. Good idea...
@OneMarcFifty
Жыл бұрын
Hi Robert, yeah - I discovered that when I tried to segregate my VLANs using a reverse proxy ;-)
Thank you very much for your great explanation.
Thank you. You explained that very well.
GREAT Video, GREAT to say the least
Great video!
Thanx Marc! I personally found the best option to automate let's encrypt wildcard cers is to maintain your own dns servers. It allow you to make any number of subdomains with DNSSEC and all the stuff.
@OneMarcFifty
Жыл бұрын
Hi Sergey, that's definitely a good option.It does have side-effects though (such as opening access to port 53 and the like)
@_r00f
Жыл бұрын
@@OneMarcFifty I have 1 master and 2 slave dns. Master local, slaves on external servers. In the domain zone NS servers - only slaves. The master dns has port 53 open only for the ip addresses of the slave dns servers.
@OneMarcFifty
Жыл бұрын
Oh that makes total sense - perfect, thanks for sharing!
@killer2600
3 ай бұрын
@@_r00f I'd like to introduce you to cloudflare.
very nice,thank you
@OneMarcFifty
Жыл бұрын
Thank you ;-)
Very nice and idiot proof explanation. Thank you.
@OneMarcFifty
Жыл бұрын
Hi Bruno, thank you very much for your feedback!
Great video Marc, always extremely informative thank you!!! Would you ever consider revisiting the BATMAN protocol in depth? Such as with DSA architecture or APs with no built in switch?
@OneMarcFifty
Жыл бұрын
Hi Alex, many thanks. I am currently working on an episode on how to build a router with the Raspberry Pi - with regards to the question how to do VLANs without a switch. But your question inspires me to maybe do a separate episode altogether, as there are mutiple ways of doing VLANs on devices with or without switches. I might talk about BATMAN in those as well. Thanks again.
Thanks! 👍
Thanks!
@OneMarcFifty
Жыл бұрын
You're welcome - thanks for he feedback!
Thank you very much for this video. Is it possible to run this XCA program in Docker Container? What would be the best option, in terms of security?
Interesting, great content! I happen to use the same webspace-provide like you, but I have enabled 2FA with an authenticator-app. Do you see any chance then still to do automation?
Thank you for the video ! does the wildcard option allow me to use short names without a warning ? I'm using step-ca for my homelab to automatically provides certificates for my servers
@OneMarcFifty
Жыл бұрын
Hi Vincent. No - you will still need FQDN with these.
do you have a video explains in details about wildcard certificate ?
I'm really interested in your automation certbot script. How did you read the string for the txt record given by certbot?
@OneMarcFifty
Жыл бұрын
If you check github.com/onemarcfifty/cheat-sheets/blob/main/Certificates/ansible-playbooks/auth_hook.py then you can see that the value comes from the environment variables CERTBOT_VALIDATION and CERTBOT_DOMAIN which are set by the certbot command.
I agree with@BrianThomas - never seen anything like this before - well done sir. I wonder if you would be able to cover the X.509 certification in terms of STM32 Mbed RTOS terms of usage. I.e., would the xca tool be able to support the lwIP embedded server httpd deamon on STM32 processors. Also how can the x.509 certification be implemented on production runs of hundreds or thousands of boxes. Would every box require a seperate certificate etc. in case the vendor does not use a different private key for each product sold would the public key holders be able to hack other customers products. This is a very unclear area of discussion regarding this type of certification. Please give us your thoughts on this topic sir. Thanks
So no way to get lets encrypt certificate for internal domain other than creating own CA?
can i share my x 509 .pem certificate to my teammate? what happens if .pem certificate is publicly exposed??
how could we include our RootCA into browser by default. meaning we don't have to manually import.
@killer2600
3 ай бұрын
You'd have to become an industry trusted certificate authority. Considering a CA can issue certificates for any domain and browsers will consider them valid, trust isn't taken lightly or given easily. The average joe will never be given this level of trust by the industry as a whole.