Building Secure Local SSL Infrastructure with DNS#

Creating a secure internal SSL/TLS infrastructure is essential for protecting communication between services in local networks, development environments, and private clouds. This guide provides a complete implementation for building a production-ready local SSL infrastructure integrated with DNS for automatic certificate validation and distribution.

Architecture Overview#

A properly designed local SSL infrastructure consists of several key components working together:

1
graph TB
2
    subgraph "Certificate Authority"
3
        CA[Root CA]
4
        ICA[Intermediate CA]
5
        CA --> ICA
6
    end
7

8
    subgraph "DNS Infrastructure"
9
        DNS[Internal DNS Server]
10
        ACME[ACME DNS Challenge]
11
        DNS --> ACME
12
    end
13

14
    subgraph "Certificate Management"
15
        CM[Cert Manager]
16
        VAULT[HashiCorp Vault]
17
        CM --> VAULT
18
    end
19

20
    subgraph "Services"
21
        WEB[Web Services]
22
        API[API Services]
23
        DB[Database Services]
24
    end
25

26
    ICA --> CM
27
    CM --> WEB
28
    CM --> API
29
    CM --> DB
30
    ACME --> CM
31

32
    subgraph "Clients"
33
        BROWSER[Browsers]
34
        APP[Applications]
35
        CLI[CLI Tools]
36
    end
37

38
    WEB --> BROWSER
39
    API --> APP
40
    DB --> CLI

Setting Up the Certificate Authority#

Step 1: Create Root Certificate Authority#

First, establish a secure root CA that will be the trust anchor for your infrastructure:

1
#!/bin/bash
2
# Configuration
3
CA_DIR="/etc/ssl/ca"
4
ROOT_KEY="$CA_DIR/private/root-ca.key"
5
ROOT_CERT="$CA_DIR/certs/root-ca.crt"
6
ROOT_CONFIG="$CA_DIR/root-ca.conf"
7

8
# Create directory structure
9
mkdir -p "$CA_DIR"/{certs,crl,newcerts,private,requests}
10
chmod 700 "$CA_DIR/private"
11
touch "$CA_DIR/index.txt"
12
echo 1000 > "$CA_DIR/serial"
13

14
# Create Root CA configuration
15
cat > "$ROOT_CONFIG" << 'EOF'
16
[ ca ]
17
default_ca = CA_default
18

19
[ CA_default ]
20
dir               = /etc/ssl/ca
21
certs             = $dir/certs
22
crl_dir           = $dir/crl
23
new_certs_dir     = $dir/newcerts
24
database          = $dir/index.txt
25
serial            = $dir/serial
26
RANDFILE          = $dir/private/.rand
27
private_key       = $dir/private/root-ca.key
28
certificate       = $dir/certs/root-ca.crt
29
crlnumber         = $dir/crlnumber
30
crl               = $dir/crl/root-ca.crl
31
crl_extensions    = crl_ext
32
default_crl_days  = 30
33
default_md        = sha256
34
name_opt          = ca_default
35
cert_opt          = ca_default
36
default_days      = 3650
37
preserve          = no
38
policy            = policy_loose
39

40
[ policy_loose ]
41
countryName             = optional
42
stateOrProvinceName     = optional
43
localityName            = optional
44
organizationName        = optional
45
organizationalUnitName  = optional
46
commonName              = supplied
47
emailAddress            = optional
48

49
[ req ]
50
default_bits        = 4096
51
distinguished_name  = req_distinguished_name
52
string_mask         = utf8only
53
default_md          = sha256
54
x509_extensions     = v3_ca
55

56
[ req_distinguished_name ]
57
countryName                     = Country Name (2 letter code)
58
stateOrProvinceName             = State or Province Name
59
localityName                    = Locality Name
60
0.organizationName              = Organization Name
61
organizationalUnitName          = Organizational Unit Name
62
commonName                      = Common Name
63
emailAddress                    = Email Address
64

65
[ v3_ca ]
66
subjectKeyIdentifier = hash
67
authorityKeyIdentifier = keyid:always,issuer
68
basicConstraints = critical, CA:true
69
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
70

71
[ v3_intermediate_ca ]
72
subjectKeyIdentifier = hash
73
authorityKeyIdentifier = keyid:always,issuer
74
basicConstraints = critical, CA:true, pathlen:0
75
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
76

77
[ crl_ext ]
78
authorityKeyIdentifier=keyid:always
79
EOF
80

81
# Generate Root CA private key
82
openssl genrsa -aes256 -out "$ROOT_KEY" 4096
83
chmod 400 "$ROOT_KEY"
84

85
# Generate Root CA certificate
86
openssl req -config "$ROOT_CONFIG" \
87
    -key "$ROOT_KEY" \
88
    -new -x509 -days 7300 -sha256 -extensions v3_ca \
89
    -out "$ROOT_CERT" \
90
    -subj "/C=US/ST=State/L=City/O=Organization/OU=IT/CN=Root CA"
91

92
# Verify Root CA certificate
93
openssl x509 -noout -text -in "$ROOT_CERT"

Step 2: Create Intermediate Certificate Authority#

The intermediate CA will issue certificates for services:

1
#!/bin/bash
2
# Configuration
3
CA_DIR="/etc/ssl/ca"
4
INT_DIR="$CA_DIR/intermediate"
5
INT_KEY="$INT_DIR/private/intermediate-ca.key"
6
INT_CSR="$INT_DIR/csr/intermediate-ca.csr"
7
INT_CERT="$INT_DIR/certs/intermediate-ca.crt"
8
INT_CONFIG="$INT_DIR/intermediate-ca.conf"
9

10
# Create intermediate directory structure
11
mkdir -p "$INT_DIR"/{certs,crl,csr,newcerts,private}
12
chmod 700 "$INT_DIR/private"
13
touch "$INT_DIR/index.txt"
14
echo 1000 > "$INT_DIR/serial"
15
echo 1000 > "$INT_DIR/crlnumber"
16

17
# Create Intermediate CA configuration
18
cat > "$INT_CONFIG" << 'EOF'
19
[ ca ]
20
default_ca = CA_default
21

22
[ CA_default ]
23
dir               = /etc/ssl/ca/intermediate
24
certs             = $dir/certs
25
crl_dir           = $dir/crl
26
new_certs_dir     = $dir/newcerts
27
database          = $dir/index.txt
28
serial            = $dir/serial
29
RANDFILE          = $dir/private/.rand
30
private_key       = $dir/private/intermediate-ca.key
31
certificate       = $dir/certs/intermediate-ca.crt
32
crlnumber         = $dir/crlnumber
33
crl               = $dir/crl/intermediate-ca.crl
34
crl_extensions    = crl_ext
35
default_crl_days  = 30
36
default_md        = sha256
37
name_opt          = ca_default
38
cert_opt          = ca_default
39
default_days      = 375
40
preserve          = no
41
policy            = policy_loose
42

43
[ policy_loose ]
44
countryName             = optional
45
stateOrProvinceName     = optional
46
localityName            = optional
47
organizationName        = optional
48
organizationalUnitName  = optional
49
commonName              = supplied
50
emailAddress            = optional
51

52
[ req ]
53
default_bits        = 4096
54
distinguished_name  = req_distinguished_name
55
string_mask         = utf8only
56
default_md          = sha256
57

58
[ req_distinguished_name ]
59
countryName                     = Country Name (2 letter code)
60
stateOrProvinceName             = State or Province Name
61
localityName                    = Locality Name
62
0.organizationName              = Organization Name
63
organizationalUnitName          = Organizational Unit Name
64
commonName                      = Common Name
65
emailAddress                    = Email Address
66

67
[ v3_intermediate_ca ]
68
subjectKeyIdentifier = hash
69
authorityKeyIdentifier = keyid:always,issuer
70
basicConstraints = critical, CA:true, pathlen:0
71
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
72

73
[ server_cert ]
74
basicConstraints = CA:FALSE
75
nsCertType = server
76
nsComment = "OpenSSL Generated Server Certificate"
77
subjectKeyIdentifier = hash
78
authorityKeyIdentifier = keyid,issuer:always
79
keyUsage = critical, digitalSignature, keyEncipherment
80
extendedKeyUsage = serverAuth
81
subjectAltName = @alt_names
82

83
[ crl_ext ]
84
authorityKeyIdentifier=keyid:always
85

86
[ ocsp ]
87
basicConstraints = CA:FALSE
88
subjectKeyIdentifier = hash
89
authorityKeyIdentifier = keyid,issuer
90
keyUsage = critical, digitalSignature
91
extendedKeyUsage = critical, OCSPSigning
92
EOF
93

94
# Generate Intermediate CA private key
95
openssl genrsa -aes256 -out "$INT_KEY" 4096
96
chmod 400 "$INT_KEY"
97

98
# Generate Intermediate CA certificate request
99
openssl req -config "$INT_CONFIG" -new -sha256 \
100
    -key "$INT_KEY" \
101
    -out "$INT_CSR" \
102
    -subj "/C=US/ST=State/L=City/O=Organization/OU=IT/CN=Intermediate CA"
103

104
# Sign Intermediate CA certificate with Root CA
105
openssl ca -config "$CA_DIR/root-ca.conf" \
106
    -extensions v3_intermediate_ca \
107
    -days 3650 -notext -md sha256 \
108
    -in "$INT_CSR" \
109
    -out "$INT_CERT"
110

111
# Create certificate chain
112
cat "$INT_CERT" "$CA_DIR/certs/root-ca.crt" > "$INT_DIR/certs/ca-chain.crt"
113

114
# Verify certificate chain
115
openssl verify -CAfile "$CA_DIR/certs/root-ca.crt" "$INT_CERT"

DNS Integration for Certificate Validation#

CoreDNS Configuration with ACME Support#

Configure CoreDNS to handle DNS challenges for automatic certificate issuance:

1
apiVersion: v1
2
kind: ConfigMap
3
metadata:
4
  name: coredns-config
5
data:
6
  Corefile: |
7
    .:53 {
8
        errors
9
        health {
10
            lameduck 5s
11
        }
12
        ready
13

14
        # Internal zone
15
        file /etc/coredns/zones/internal.zone internal.company.com {
16
            reload 30s
17
        }
18

19
        # ACME DNS challenge support
20
        file /etc/coredns/zones/acme.zone _acme-challenge.internal.company.com {
21
            reload 5s
22
        }
23

24
        # Forwarding for external domains
25
        forward . 8.8.8.8 8.8.4.4 {
26
            max_concurrent 1000
27
        }
28

29
        cache 30
30
        loop
31
        reload
32
        loadbalance
33

34
        # Prometheus metrics
35
        prometheus :9153
36

37
        # Logging
38
        log . {
39
            class error
40
        }
41
    }
42

43
  internal.zone: |
44
    $ORIGIN internal.company.com.
45
    $TTL 3600
46
    @   IN  SOA ns1.internal.company.com. admin.internal.company.com. (
47
            2024010101  ; Serial
48
            3600        ; Refresh
49
            1800        ; Retry
50
            604800      ; Expire
51
            86400       ; Minimum TTL
52
    )
53

54
    ; Name servers
55
    @   IN  NS  ns1.internal.company.com.
56
    @   IN  NS  ns2.internal.company.com.
57

58
    ; A records
59
    ns1     IN  A   10.0.1.10
60
    ns2     IN  A   10.0.1.11
61
    ca      IN  A   10.0.1.20
62
    vault   IN  A   10.0.1.21
63

64
    ; Service records
65
    web     IN  A   10.0.2.10
66
    api     IN  A   10.0.2.20
67
    db      IN  A   10.0.2.30
68

69
    ; CNAME records
70
    www     IN  CNAME   web
71

72
  acme.zone: |
73
    $ORIGIN _acme-challenge.internal.company.com.
74
    $TTL 60
75
    @   IN  SOA ns1.internal.company.com. admin.internal.company.com. (
76
            2024010101  ; Serial
77
            60          ; Refresh
78
            30          ; Retry
79
            3600        ; Expire
80
            60          ; Minimum TTL
81
    )

DNS-01 Challenge Automation#

Implement automated DNS-01 challenge handling:

1
#!/usr/bin/env python3
2
import os
3
import time
4
import dns.resolver
5
import dns.update
6
import dns.tsigkeyring
7
import dns.query
8
from flask import Flask, request, jsonify
9

10
app = Flask(__name__)
11

12
# Configuration
13
DNS_SERVER = os.environ.get('DNS_SERVER', '10.0.1.10')
14
DNS_ZONE = os.environ.get('DNS_ZONE', 'internal.company.com')
15
TSIG_KEY_NAME = os.environ.get('TSIG_KEY_NAME', 'acme-key')
16
TSIG_KEY = os.environ.get('TSIG_KEY', 'base64-encoded-key')
17
TSIG_ALGO = os.environ.get('TSIG_ALGO', 'hmac-sha256')
18

19
# Create TSIG keyring
20
keyring = dns.tsigkeyring.from_text({
21
    TSIG_KEY_NAME: TSIG_KEY
22
})
23

24
@app.route('/present', methods=['POST'])
25
def present_challenge():
26
    """Add DNS TXT record for ACME challenge"""
27
    data = request.json
28
    domain = data.get('domain')
29
    token = data.get('token')
30

31
    if not domain or not token:
32
        return jsonify({'error': 'Missing domain or token'}), 400
33

34
    # Create DNS update
35
    update = dns.update.Update(DNS_ZONE, keyring=keyring, keyalgorithm=TSIG_ALGO)
36

37
    # Add TXT record
38
    txt_name = f'_acme-challenge.{domain}'
39
    update.add(txt_name, 60, 'TXT', f'"{token}"')
40

41
    try:
42
        response = dns.query.tcp(update, DNS_SERVER)
43

44
        # Wait for DNS propagation
45
        time.sleep(5)
46

47
        # Verify record exists
48
        resolver = dns.resolver.Resolver()
49
        resolver.nameservers = [DNS_SERVER]
50
        answers = resolver.resolve(f'{txt_name}.{DNS_ZONE}', 'TXT')
51

52
        for rdata in answers:
53
            if token in str(rdata):
54
                return jsonify({'status': 'success'}), 200
55

56
        return jsonify({'error': 'Record not found after creation'}), 500
57

58
    except Exception as e:
59
        return jsonify({'error': str(e)}), 500
60

61
@app.route('/cleanup', methods=['POST'])
62
def cleanup_challenge():
63
    """Remove DNS TXT record after challenge completion"""
64
    data = request.json
65
    domain = data.get('domain')
66

67
    if not domain:
68
        return jsonify({'error': 'Missing domain'}), 400
69

70
    # Create DNS update
71
    update = dns.update.Update(DNS_ZONE, keyring=keyring, keyalgorithm=TSIG_ALGO)
72

73
    # Delete TXT record
74
    txt_name = f'_acme-challenge.{domain}'
75
    update.delete(txt_name, 'TXT')
76

77
    try:
78
        response = dns.query.tcp(update, DNS_SERVER)
79
        return jsonify({'status': 'success'}), 200
80
    except Exception as e:
81
        return jsonify({'error': str(e)}), 500
82

83
if __name__ == '__main__':
84
    app.run(host='0.0.0.0', port=8080)

Automated Certificate Management#

Step-CA for ACME Protocol#

Deploy Step-CA as an ACME server integrated with your CA:

1
{
2
  "root": "/etc/step-ca/certs/root-ca.crt",
3
  "federatedRoots": [],
4
  "crt": "/etc/step-ca/certs/intermediate-ca.crt",
5
  "key": "/etc/step-ca/secrets/intermediate-ca.key",
6
  "address": ":443",
7
  "insecureAddress": "",
8
  "dnsNames": ["ca.internal.company.com"],
9
  "logger": { "format": "json" },
10
  "db": { "type": "badgerv2", "dataSource": "/etc/step-ca/db" },
11
  "authority":
12
    {
13
      "provisioners":
14
        [
15
          {
16
            "type": "ACME",
17
            "name": "acme",
18
            "forceCN": true,
19
            "claims":
20
              {
21
                "maxTLSCertDuration": "720h",
22
                "defaultTLSCertDuration": "168h",
23
              },
24
          },
25
          {
26
            "type": "JWK",
27
            "name": "admin",
28
            "key":
29
              {
30
                "use": "sig",
31
                "kty": "EC",
32
                "kid": "admin-key-id",
33
                "crv": "P-256",
34
                "alg": "ES256",
35
                "x": "base64-x-coordinate",
36
                "y": "base64-y-coordinate",
37
              },
38
            "encryptedKey": "encrypted-private-key",
39
            "claims":
40
              {
41
                "maxTLSCertDuration": "8760h",
42
                "defaultTLSCertDuration": "720h",
43
                "enableSSHCA": true,
44
              },
45
          },
46
        ],
47
    },
48
  "tls":
49
    {
50
      "cipherSuites":
51
        [
52
          "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
53
          "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
54
          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
55
          "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
56
        ],
57
      "minVersion": 1.2,
58
      "maxVersion": 1.3,
59
      "renegotiation": false,
60
    },
61
}

Cert-Manager Integration#

Deploy cert-manager for Kubernetes environments:

1
apiVersion: cert-manager.io/v1
2
kind: ClusterIssuer
3
metadata:
4
  name: internal-ca-issuer
5
spec:
6
  acme:
7
    server: https://ca.internal.company.com/acme/acme/directory
8
    email: admin@company.com
9
    privateKeySecretRef:
10
      name: internal-ca-account-key
11
    solvers:
12
      - dns01:
13
          webhook:
14
            groupName: acme.company.com
15
            solverName: internal-dns
16
            config:
17
              endpoint: http://dns-challenge-handler:8080
18
              zone: internal.company.com
19
---
20
apiVersion: v1
21
kind: Secret
22
metadata:
23
  name: ca-root-cert
24
  namespace: cert-manager
25
type: Opaque
26
data:
27
  ca.crt: # base64 encoded root CA certificate

Certificate Lifecycle Automation#

1
#!/bin/bash
2
# Configuration
3
CERT_DIR="/etc/ssl/services"
4
CA_URL="https://ca.internal.company.com"
5
RENEWAL_DAYS=30
6
LOG_FILE="/var/log/cert-manager.log"
7

8
# Logging function
9
log() {
10
    echo "[$(date +'%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
11
}
12

13
# Check certificate expiration
14
check_cert_expiry() {
15
    local cert_file=$1
16
    local days_until_expiry
17

18
    if [[ -f "$cert_file" ]]; then
19
        days_until_expiry=$(openssl x509 -enddate -noout -in "$cert_file" | \
20
            cut -d= -f2 | xargs -I {} date -d {} +%s | \
21
            awk -v now=$(date +%s) '{print int(($1-now)/86400)}')
22

23
        echo "$days_until_expiry"
24
    else
25
        echo "-1"
26
    fi
27
}
28

29
# Request new certificate using ACME
30
request_certificate() {
31
    local domain=$1
32
    local cert_path="$CERT_DIR/$domain"
33

34
    log "Requesting certificate for $domain"
35

36
    # Create certificate directory
37
    mkdir -p "$cert_path"
38

39
    # Request certificate using step CLI
40
    step ca certificate "$domain" \
41
        "$cert_path/cert.pem" \
42
        "$cert_path/key.pem" \
43
        --ca-url="$CA_URL" \
44
        --root="/etc/ssl/ca/certs/root-ca.crt" \
45
        --acme="$CA_URL/acme/acme/directory" \
46
        --kty=RSA \
47
        --size=2048
48

49
    if [[ $? -eq 0 ]]; then
50
        log "Certificate successfully obtained for $domain"
51

52
        # Set proper permissions
53
        chmod 644 "$cert_path/cert.pem"
54
        chmod 600 "$cert_path/key.pem"
55

56
        # Create combined certificate chain
57
        cat "$cert_path/cert.pem" \
58
            "/etc/ssl/ca/intermediate/certs/intermediate-ca.crt" \
59
            > "$cert_path/fullchain.pem"
60

61
        return 0
62
    else
63
        log "ERROR: Failed to obtain certificate for $domain"
64
        return 1
65
    fi
66
}
67

68
# Renew certificates
69
renew_certificates() {
70
    local services_file="/etc/ssl/services.conf"
71

72
    while IFS= read -r line; do
73
        # Skip comments and empty lines
74
        [[ "$line" =~ ^#.*$ ]] || [[ -z "$line" ]] && continue
75

76
        # Parse service configuration
77
        domain=$(echo "$line" | cut -d':' -f1)
78
        service=$(echo "$line" | cut -d':' -f2)
79
        reload_cmd=$(echo "$line" | cut -d':' -f3)
80

81
        cert_file="$CERT_DIR/$domain/cert.pem"
82
        days_left=$(check_cert_expiry "$cert_file")
83

84
        if [[ $days_left -lt $RENEWAL_DAYS ]]; then
85
            log "Certificate for $domain expires in $days_left days, renewing..."
86

87
            if request_certificate "$domain"; then
88
                # Reload service if specified
89
                if [[ -n "$reload_cmd" ]]; then
90
                    log "Reloading service: $service"
91
                    eval "$reload_cmd"
92
                fi
93
            fi
94
        else
95
            log "Certificate for $domain is valid for $days_left more days"
96
        fi
97

98
    done < "$services_file"
99
}
100

101
# Main execution
102
main() {
103
    log "Starting certificate lifecycle manager"
104

105
    # Ensure required directories exist
106
    mkdir -p "$CERT_DIR"
107

108
    # Run certificate renewal check
109
    renew_certificates
110

111
    log "Certificate lifecycle check completed"
112
}
113

114
# Run main function
115
main

Service Configuration Examples#

Nginx with Auto-Renewed Certificates#

1
server {
2
    listen 443 ssl http2;
3
    listen [::]:443 ssl http2;
4
    server_name app.internal.company.com;
5

6
    # Certificate paths
7
    ssl_certificate /etc/ssl/services/app.internal.company.com/fullchain.pem;
8
    ssl_certificate_key /etc/ssl/services/app.internal.company.com/key.pem;
9

10
    # Modern SSL configuration
11
    ssl_protocols TLSv1.2 TLSv1.3;
12
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
13
    ssl_prefer_server_ciphers off;
14

15
    # OCSP stapling
16
    ssl_stapling on;
17
    ssl_stapling_verify on;
18
    ssl_trusted_certificate /etc/ssl/services/app.internal.company.com/fullchain.pem;
19

20
    # Security headers
21
    add_header Strict-Transport-Security "max-age=63072000" always;
22
    add_header X-Frame-Options "SAMEORIGIN" always;
23
    add_header X-Content-Type-Options "nosniff" always;
24
    add_header X-XSS-Protection "1; mode=block" always;
25

26
    # Application configuration
27
    location / {
28
        proxy_pass http://localhost:8080;
29
        proxy_set_header Host $host;
30
        proxy_set_header X-Real-IP $remote_addr;
31
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
32
        proxy_set_header X-Forwarded-Proto $scheme;
33
    }
34
}
35

36
# Redirect HTTP to HTTPS
37
server {
38
    listen 80;
39
    listen [::]:80;
40
    server_name app.internal.company.com;
41
    return 301 https://$server_name$request_uri;
42
}

PostgreSQL with SSL/TLS#

1
# postgresql.conf
2
ssl = on
3
ssl_cert_file = '/etc/ssl/services/db.internal.company.com/cert.pem'
4
ssl_key_file = '/etc/ssl/services/db.internal.company.com/key.pem'
5
ssl_ca_file = '/etc/ssl/ca/certs/ca-chain.crt'
6
ssl_crl_file = ''
7
ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'
8
ssl_prefer_server_ciphers = on
9
ssl_ecdh_curve = 'prime256v1'
10
ssl_min_protocol_version = 'TLSv1.2'
11
ssl_max_protocol_version = ''
12

13
# pg_hba.conf
14
# TYPE  DATABASE        USER            ADDRESS                 METHOD
15
hostssl all             all             10.0.0.0/16            cert clientcert=verify-full
16
hostssl replication     replicator      10.0.0.0/16            cert clientcert=verify-full

Client Certificate Management#

Generating Client Certificates#

1
#!/bin/bash
2
CLIENT_NAME="$1"
3
CLIENT_DIR="/etc/ssl/clients/$CLIENT_NAME"
4

5
if [[ -z "$CLIENT_NAME" ]]; then
6
    echo "Usage: $0 <client-name>"
7
    exit 1
8
fi
9

10
# Create client directory
11
mkdir -p "$CLIENT_DIR"
12

13
# Generate client private key
14
openssl genrsa -out "$CLIENT_DIR/client.key" 2048
15
chmod 600 "$CLIENT_DIR/client.key"
16

17
# Create client certificate request
18
cat > "$CLIENT_DIR/client.conf" << EOF
19
[req]
20
distinguished_name = req_distinguished_name
21
req_extensions = v3_req
22
prompt = no
23

24
[req_distinguished_name]
25
C = US
26
ST = State
27
L = City
28
O = Organization
29
OU = IT
30
CN = $CLIENT_NAME
31
emailAddress = $CLIENT_NAME@internal.company.com
32

33
[v3_req]
34
keyUsage = critical, digitalSignature, keyEncipherment
35
extendedKeyUsage = clientAuth
36
subjectAltName = @alt_names
37

38
[alt_names]
39
email = $CLIENT_NAME@internal.company.com
40
EOF
41

42
# Generate certificate request
43
openssl req -new -key "$CLIENT_DIR/client.key" \
44
    -out "$CLIENT_DIR/client.csr" \
45
    -config "$CLIENT_DIR/client.conf"
46

47
# Sign client certificate
48
openssl ca -config /etc/ssl/ca/intermediate/intermediate-ca.conf \
49
    -extensions usr_cert -days 365 -notext -md sha256 \
50
    -in "$CLIENT_DIR/client.csr" \
51
    -out "$CLIENT_DIR/client.crt"
52

53
# Create PKCS12 bundle for easy import
54
openssl pkcs12 -export \
55
    -out "$CLIENT_DIR/client.p12" \
56
    -inkey "$CLIENT_DIR/client.key" \
57
    -in "$CLIENT_DIR/client.crt" \
58
    -certfile /etc/ssl/ca/intermediate/certs/ca-chain.crt \
59
    -passout pass:changeme
60

61
echo "Client certificate generated for $CLIENT_NAME"
62
echo "Certificate: $CLIENT_DIR/client.crt"
63
echo "Private Key: $CLIENT_DIR/client.key"
64
echo "PKCS12 Bundle: $CLIENT_DIR/client.p12"

Monitoring and Maintenance#

Certificate Monitoring Dashboard#

1
graph LR
2
    subgraph "Monitoring Stack"
3
        PROM[Prometheus]
4
        ALERT[Alertmanager]
5
        GRAF[Grafana]
6
    end
7

8
    subgraph "Certificate Checks"
9
        EXP[Expiry Check]
10
        VAL[Validation Check]
11
        REV[Revocation Check]
12
    end
13

14
    subgraph "Services"
15
        WEB[Web Services]
16
        API[API Services]
17
        DB[Databases]
18
    end
19

20
    EXP --> PROM
21
    VAL --> PROM
22
    REV --> PROM
23

24
    WEB --> EXP
25
    API --> EXP
26
    DB --> EXP
27

28
    PROM --> ALERT
29
    PROM --> GRAF

Prometheus Certificate Exporter#

1
#!/usr/bin/env python3
2
import ssl
3
import socket
4
import datetime
5
import time
6
from prometheus_client import start_http_server, Gauge
7

8
# Metrics
9
cert_expiry_days = Gauge('cert_expiry_days',
10
                        'Days until certificate expiry',
11
                        ['hostname', 'port'])
12
cert_valid = Gauge('cert_valid',
13
                  'Certificate validation status',
14
                  ['hostname', 'port'])
15

16
def check_certificate(hostname, port=443):
17
    """Check SSL certificate for a given host"""
18
    try:
19
        # Create SSL context
20
        context = ssl.create_default_context()
21

22
        # Connect and get certificate
23
        with socket.create_connection((hostname, port), timeout=10) as sock:
24
            with context.wrap_socket(sock, server_hostname=hostname) as ssock:
25
                cert = ssock.getpeercert()
26

27
                # Parse expiry date
28
                not_after = datetime.datetime.strptime(
29
                    cert['notAfter'],
30
                    '%b %d %H:%M:%S %Y %Z'
31
                )
32

33
                # Calculate days until expiry
34
                days_left = (not_after - datetime.datetime.utcnow()).days
35

36
                # Update metrics
37
                cert_expiry_days.labels(hostname=hostname, port=port).set(days_left)
38
                cert_valid.labels(hostname=hostname, port=port).set(1)
39

40
                return days_left
41

42
    except Exception as e:
43
        print(f"Error checking {hostname}:{port} - {str(e)}")
44
        cert_valid.labels(hostname=hostname, port=port).set(0)
45
        return -1
46

47
def main():
48
    # Start Prometheus metrics server
49
    start_http_server(9100)
50

51
    # Services to monitor
52
    services = [
53
        ('web.internal.company.com', 443),
54
        ('api.internal.company.com', 443),
55
        ('db.internal.company.com', 5432),
56
    ]
57

58
    while True:
59
        for hostname, port in services:
60
            check_certificate(hostname, port)
61

62
        # Check every 5 minutes
63
        time.sleep(300)
64

65
if __name__ == '__main__':
66
    main()

Security Best Practices#

1. Key Management#

1
# Secure key storage with proper permissions
2
chmod 700 /etc/ssl/ca/private
3
chmod 600 /etc/ssl/ca/private/*.key
4

5
# Use hardware security modules (HSM) for production
6
# Example with SoftHSM
7
softhsm2-util --init-token --slot 0 --label "CA Keys" \
8
    --pin 1234 --so-pin 5678
9

10
# Store CA key in HSM
11
pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so \
12
    --login --pin 1234 \
13
    --write-object /etc/ssl/ca/private/root-ca.key \
14
    --type privkey --id 01 --label "Root CA Key"

2. Certificate Pinning#

1
// Node.js example with certificate pinning
2
const https = require("https");
3
const crypto = require("crypto");
4

5
const pinnedCerts = ["sha256//BASE64_ENCODED_CERT_FINGERPRINT"];
6

7
const options = {
8
  hostname: "api.internal.company.com",
9
  port: 443,
10
  path: "/",
11
  method: "GET",
12
  checkServerIdentity: (host, cert) => {
13
    const fingerprint = crypto
14
      .createHash("sha256")
15
      .update(cert.raw)
16
      .digest("base64");
17

18
    if (!pinnedCerts.includes(`sha256//${fingerprint}`)) {
19
      throw new Error("Certificate pin validation failed");
20
    }
21
  },
22
};
23

24
https
25
  .request(options, res => {
26
    // Handle response
27
  })
28
  .end();

3. Audit Logging#

1
#!/bin/bash
2
# Enable audit logging for CA operations
3
cat >> /etc/ssl/ca/intermediate/intermediate-ca.conf << EOF
4

5
[ ca ]
6
# Existing configuration...
7
audit_log = /var/log/ca-audit.log
8

9
EOF
10

11
# Log rotation configuration
12
cat > /etc/logrotate.d/ca-audit << EOF
13
/var/log/ca-audit.log {
14
    daily
15
    rotate 365
16
    compress
17
    delaycompress
18
    missingok
19
    notifempty
20
    create 0600 root root
21
    sharedscripts
22
    postrotate
23
        # Signal CA service to reopen logs if needed
24
        systemctl reload step-ca 2>/dev/null || true
25
    endscript
26
}
27
EOF

Troubleshooting Common Issues#

DNS Resolution Issues#

1
# Test DNS resolution
2
dig _acme-challenge.app.internal.company.com TXT @10.0.1.10
3

4
# Verify TSIG key
5
nsupdate -k /etc/bind/acme-key.key <<EOF
6
server 10.0.1.10
7
zone internal.company.com
8
update add test.internal.company.com 60 A 10.0.0.1
9
send
10
EOF
11

12
# Check DNS logs
13
journalctl -u coredns -f

Certificate Validation Problems#

1
# Verify certificate chain
2
openssl verify -CAfile /etc/ssl/ca/certs/ca-chain.crt \
3
    /etc/ssl/services/app.internal.company.com/cert.pem
4

5
# Check certificate details
6
openssl x509 -in /etc/ssl/services/app.internal.company.com/cert.pem \
7
    -noout -text
8

9
# Test SSL connection
10
openssl s_client -connect app.internal.company.com:443 \
11
    -CAfile /etc/ssl/ca/certs/ca-chain.crt \
12
    -servername app.internal.company.com

Conclusion#

Building a secure local SSL infrastructure with DNS integration provides a robust foundation for internal service communication. By combining a proper PKI hierarchy with automated certificate management and DNS-based validation, organizations can achieve enterprise-grade security for their internal networks while maintaining ease of use and automation capabilities.

The key to success is proper planning, automation of routine tasks, and regular monitoring of certificate health. With the tools and configurations provided in this guide, you can implement a production-ready SSL infrastructure that scales with your organization’s needs.