Ubuntu: Creating a self-signed SAN certificate using OpenSSL

There are numerous articles I’ve written  where a certificate is a prerequisite for deploying a piece of infrastructure.

This article will guide you through generating a self-signed certificate with SAN (Subject Alternative Name) and SAN wildcard entries, replacing the deprecated usage of CN=<FQDN>

In addition to the operational benefits of managing SAN, it is also becoming more necessary at the client level with browsers like Chrome 58 and Firefox 48 that don’t trust certificates without this specification.

If you just need a simple self-signed certificate where the Subject CN is sufficient to denote your public hostname, then read my article here instead.

If you manage a larger internal environment and want to create your own trusted Certificate Authority so you can provide trusted SAN certificates for multiple groups/services, then read my article here.  These also provide better support for full browser trust.

Continue reading “Ubuntu: Creating a self-signed SAN certificate using OpenSSL”

Ubuntu: Creating a trusted CA and SAN certificate using OpenSSL

There are numerous articles I’ve written  where a certificate is a prerequisite for deploying a piece of infrastructure.

This article will guide you through creating a trusted CA (Certificate Authority), and then using that to sign a server certificate that supports SAN (Subject Alternative Name). 

Operationally, having your own trusted CA is advantageous over a self-signed certificate because once you install the CA certificate on a set of corporate/development machines, all the server certificates you issue from that CA will be trusted.   If you manage a larger sized internal environment where hosts, services, and containers are in constant flux, this is an operational win.

CA trust also had advantages to self-signed certs because browsers like Chrome 58 and Firefox 48 have limitations on trusting self-signed certificates.   The Windows version of Chrome is the only flavor that allows self-signed certs to be imported as a trusted root authority, all other OS do not trust the self-signed certificate.  And Firefox allows you to add a permanent exception, but needs a trusted CA in order to show a fully green trust lock icon.

If you just want a self-signed SAN certificate with no backing CA, then read my article here instead, but note that it has limitations that are overcome by using a trusted CA.

Continue reading “Ubuntu: Creating a trusted CA and SAN certificate using OpenSSL”

Ansible: Installing Ansible on Ubuntu 16.04

Ansible is an agentless configuration management tool that helps operations teams manage installation, patching, and command execution across a set of servers.

In this article I’ll describe how to deploy the latest release of Ansible using pip on Ubuntu 16.04, and then perform a quick validation against a client.

Continue reading “Ansible: Installing Ansible on Ubuntu 16.04”

Ansible: Installing Ansible on Ubuntu 14.04

Ansible is an agentless configuration management tool that helps operations teams manage installation, patching, and command execution across a set of servers.

In this article I’ll describe how to deploy the latest release of Ansible using pip on Ubuntu 14.04, and then perform a quick validation against a client.

Continue reading “Ansible: Installing Ansible on Ubuntu 14.04”

SaltStack: Combine multiple pillar files under a single key

saltstack_logo-thumbnailAn issue that keeps coming up on the mailing lists as well as Stackoverflow[1,2] is how to merge multiple pillar files for use with a single state.  The problem is that pillars using the same key overwrite each other, and there is no easy way to express the desire to merge instead.

There are various workarounds, but all of these expect the human operator to know about these disparate sources and manually mend them together with a unifying sls file (using includes or anchors/references).

The state and pillar files in this article can be downloaded from my github page.

Continue reading “SaltStack: Combine multiple pillar files under a single key”

Ubuntu: Creating a self-signed certificate using OpenSSL on Ubuntu

There are numerous articles I’ve written  where a certificate is a prerequisite for deploying a piece of infrastructure.

Here are the quick steps for installing a simple self-signed certificate on an Ubuntu server.  If you instead need to create a certificate with SAN (Subject Alternative Name) support, read my article here.

Some of you will want a full explanation of the steps required, others will only want to run the script I’m putting on github.

Continue reading “Ubuntu: Creating a self-signed certificate using OpenSSL on Ubuntu”