Welcome to Software Development on Codidact!
Will you help us build our independent community of developers helping developers? We're small and trying to grow. We welcome questions about all aspects of software development, from design to code to QA and more. Got questions? Got answers? Got code you'd like someone to review? Please join us.
Comments on GnuTLS config for my own root CA, for use on internal server
Post
GnuTLS config for my own root CA, for use on internal server
I am trying to generate my own root CA certificate.
Context
My goal is to sign an intermediate CA with this certificate, and then install the intermediate CA on my own client machines. The intermediate CA will be used to sign a server on my private LAN. The server has no inbound route and cannot be seen from the public internet. I use the server to run my own personal services for my family.
Code (config)
I use gnutls with the following config:
# https://gnutls.org/manual/html_node/certtool-Invocation.html#certtool-Invocation
# These don't actually exist but I assume it doesn't matter
cn = "nosuchdomain.com"
organization = FakeCompanyName
country = US
state = California
locality = "San Francisco"
expiration_days = 3650
dns_name = "nosuchdomain.com"
ca
cert_signing_key
The command to generate is:
certtool \
--generate-self-signed \
--load-privkey /path/to/private/key \
--template /path/to/config \
--ask-pass \
--outfile /path/to/root/cert
Review goals
My goal is to create my own root CA for the purpose of setting up TLS on my own server that is only accessible from my own LAN. I will not have clients install this root CA, rather, it will be used to create an intermediate CA which is not self-signed and restricted to certain domains.
Is there anything I should change in this config, whether to avoid bugs or to be more aligned with best practices?
1 comment thread