My-Lab
Windows Server Certificate Authority

Step 1: Set Up Your AD CS Root Certificate Authority

If not already done, ensure your AD server has Active Directory Certificate Services (AD CS) installed and configured as a Root CA.

  1. Export the Root CA Certificate:
    • Open the Certification Authority tool on the AD server.
    • Right-click your CA, select Properties > View Certificate.
    • Export the certificate as a Base-64 encoded .crt file (e.g., rootCA.crt).

Step 2: Distribute the Root CA Certificate to Your Devices

To eliminate browser warnings, your devices must trust the root CA. This involves importing the root CA certificate on all devices, including Ubuntu servers and client machines.

For Ubuntu Devices:

  1. Transfer the Root CA Certificate to the Ubuntu Server:

    • Copy the rootCA.crt file to your Ubuntu server: 
      scp rootCA.crt username@ubuntu:/tmp/

  2. Install the Root CA Certificate:

    • Move the certificate to the trusted directory: 
      sudo cp /tmp/rootCA.crt /usr/local/share/ca-certificates/
    • Update the system's trusted certificates: 
      sudo update-ca-certificates
    • Verify the certificate installation: 
      ls /etc/ssl/certs | grep rootCA

  3. Test Browser Trust:

    • Access the Ubuntu server from a browser using its FQDN (e.g., https://ubuntu24.lab.local). The warning should no longer appear.

For Windows and Other Client Devices:

  1. Copy the rootCA.crt file to the client machine.

  2. Open the Certificates MMC:

    • Run mmc.exe.
    • Add the Certificates snap-in for the Local Computer account.
    • Navigate to Trusted Root Certification Authorities > Certificates.
    • Right-click, select All Tasks > Import, and import rootCA.crt.

  3. Test the connection to the Ubuntu server in a browser.

Step 3: Generate and Install an SSL Certificate on the Ubuntu Server

Once the root CA is trusted, you need a server certificate for the Ubuntu server signed by the AD CS.

On the Ubuntu Server:

  1. Generate a Private Key and CSR:

    • Generate a private key: 
      openssl genrsa -out ubuntu24.key 2048
    • Generate a CSR (ensure the CN matches the FQDN): 
      openssl req -new -key ubuntu24.key -out ubuntu24.csr
      Example input for the CSR prompt: 
      Country Name (2 letter code): US
State or Province Name (full name): YourState
Locality Name (eg, city): YourCity
Organization Name (eg, company): YourCompany
Organizational Unit Name (eg, section): IT
Common Name (e.g., server FQDN): ubuntu24.lab.local
Email Address: admin@yourdomain.com

  2. Submit the CSR to AD CS:

    • Transfer the ubuntu24.csr file to the AD server: 
      scp ubuntu24.csr username@ad-server:/path/to/save/
    • Open the AD CS web enrollment page: 
      http://<AD-Server-IP>/certsrv
    • Select Request a Certificate > Advanced Certificate Request.
    • Paste the contents of ubuntu24.csr into the form.
    • Select the Web Server certificate template.
    • Download the issued certificate (ubuntu24.crt) in Base-64 encoded format.

  3. Transfer the Signed Certificate Back to Ubuntu:

    scp username@ad-server:/path/to/ubuntu24.crt /tmp/

  4. Install the Certificate on the Ubuntu Server:

    • Copy the certificate to the SSL directory: 
      sudo cp /tmp/ubuntu24.crt /etc/ssl/private/
sudo cp /tmp/ubuntu24.key /etc/ssl/private/

Step 4: Verify the Certificate and Key

Ensure that the certificate and private key match and are properly configured.

  1. Check the Modulus of the Certificate and Key:

    • Extract the modulus from the certificate: 
      openssl x509 -noout -modulus -in /etc/ssl/private/ubuntu24.crt | openssl md5
    • Extract the modulus from the private key: 
      openssl rsa -noout -modulus -in /etc/ssl/private/ubuntu24.key | openssl md5
    • Compare the outputs of both commands. They must match. If they don't, the certificate and key are mismatched, and you need to re-issue the certificate.

  2. Verify the Certificate Details:

    openssl x509 -in /etc/ssl/private/ubuntu24.crt -text -noout

  3. Test SSL Connectivity Using OpenSSL:

    openssl s_client -connect ubuntu24.lab.local:443

Cheat Sheet

Key Commands:

  • Generate private key: 
    openssl genrsa -out ubuntu24.key 2048
  • Generate CSR: 
    openssl req -new -key ubuntu24.key -out ubuntu24.csr
  • Install Root CA Certificate: 
    sudo cp rootCA.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
  • Verify the certificate matches the key: 
    openssl x509 -noout -modulus -in /etc/ssl/private/ubuntu24.crt | openssl md5
openssl rsa -noout -modulus -in /etc/ssl/private/ubuntu24.key | openssl md5
  • View certificate details: 
    openssl x509 -in /etc/ssl/private/ubuntu24.crt -text -noout

Troubleshooting

  1. Certificate Warnings Still Appear:

    • Ensure the root CA certificate is installed and trusted on all client devices.
    • Confirm the certificate's Common Name (CN) matches the server's FQDN.

  2. Mismatched Modulus:

    • If the modulus of the certificate and key do not match, regenerate the private key and CSR, then reissue the certificate from the AD CS.

  3. DNS Resolution Issues:

    • Verify the A record in the AD DNS server and test with: 
      nslookup ubuntu24.lab.local

  4. SSL Handshake Issues:

    • Test with OpenSSL: 
      openssl s_client -connect ubuntu24.lab.local:443
    • Check for errors related to untrusted certificates or mismatched CN.
Lag between Juniper Switch and Fortigate1.installing Netbox