[cisco-voip] let's encrypt for local admin gui pages
Doug McIntyre
merlyn at geeks.org
Wed Sep 27 12:29:53 EDT 2017
On Wed, Sep 27, 2017 at 02:31:12PM +0000, Lelio Fulgenzi wrote:
> The hardest part was finding some decent instructions on how to do so. Apparently, when a private signed certificate is generated and granted it's available for download from the link presented during the process and there's no easy way to find an inventory of generated certificates!
The Windows CA service implements access via several different methods, a
web portal, a command line option, and an API. Machines in a Windows AD
can request services from the CA server via whatever way.
Since there are several ways of doing things in Windows, it all
depends on what you are doing, as to what the instructions are.
If you are doing things by hand, typically you would be using the web
portal. I find the easiest workflow for me is to have a secure area
set aside to store all the stuff going in and out. My process
typically has the keypair and certificate signer request being done by
hand with OpenSSL, although you can use certtool if you really want.
Then I pass the CSR into the windows CA and get back the signed response,
saving each part along the way rather than being on the fly.
It should be noted the CA server never stores private key-pairs itself, and
basicly is really as it says, it signs the request and hands it back to you.
If you lose the private key, you can't recover it form the CA. If you let the
web portal have your web browser generate a key-pair and CSR, then you are
going to have to go dig that information out of wherever your web browser
stashed it (different for every single one). Its best to start with you
generating it specificly and stashing the files securely where you can access them.
You can easily see all the Issued Certificates from the Certificate
Authority MMC plugin. (eg. under Issued Cerfificates). There are command
line tools to do this as well. Typically, you'll have many certs, all in
various states, so its not like there is a mastory inventory here which is
what you seem to imply on wanting to find.
The CA server is just a signer. In the Enteprise, you get all your
workstations to trust your CA, you submit a cert req to the signer CA,
it signs it, so then all your workstations trust your new cert.
More information about the cisco-voip
mailing list