Collection of TLS certificates to secure production instances of the Icehack virtual environment.
- Let's Encrypt is used to generate short-lived, free, TLS certificates.
- Multiple certificates are used, with 4 hostnames registered within each (except for 1-5 which has 5)
- Control of the
icehack.bas.ac.uk
sub-domain - An account (private) key for Let's Encrypt
- Create a virtual machine accessible on the public internet
- Download the ACME Tiny script to the VM
- Register the relevant series of subdomains to point to the VM (e.g.
node1.icehack.bas.ac.uk
) - Upload account key to VM
- Create private key for certificate [1]
- Create a CSR for certificate [2]
- Create challenges directory [3]
- Install Nginx
- Replace default site [4]
- Register certificates [5]
- Download certificate, CSR and private key to localhost
- Build certificate trust chain [6]
[1]
openssl genrsa 4096 > nodes-01-05.icehack.bas.ac.uk.key
[2]
openssl req -new -sha256 -key nodes-01-05.icehack.bas.ac.uk.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:node1.icehack.bas.ac.uk,DNS:node2.icehack.bas.ac.uk,node3.icehack.bas.ac.uk,DNS:node4.icehack.bas.ac.uk,node5.icehack.bas.ac.uk")) > nodes-01-05.icehack.bas.ac.uk.csr
[3]
sudo mkdir -p /var/www/challenges/
sudo chmod 777 /var/www/challenges/
[4]
server {
listen 80;
server_name _;
location /.well-known/acme-challenge/ {
alias /var/www/challenges/;
try_files $uri =404;
}
}
[5]
python acme_tiny.py --account-key ./account.key --csr ./nodes-01-05.icehack.bas.ac.uk.csr --acme-dir /var/www/challenges/ > ./nodes-01-05.icehack.bas.ac.uk.crt
[6]
cat 01-05/nodes-01-05.icehack.bas.ac.uk.crt lets-encrypt-x1-cross-signed.pem > 01-05/nodes-01-05.icehack.bas.ac.uk-certificate-including-trust-chain.crt
Use certificates and private keys as normal.
Note: Ensure you suitably protect private key material.
Copyright 2016 NERC BAS.
Unless stated otherwise, all documentation is licensed under the Open Government License - version 3. All code is licensed under the MIT license.
Copies of these licenses are included within this project.