Without a trusted Digital Signature on the X.509 Certificate, it is prone to Man-in-the-middle Attack. Because Client has no way to check if the X.509 Certificate is modified in the process of receiving the X.509 Certificate from the Server
Use Terraform to create a self-signed cert with a self-signed CA
We need to ensure each client trusts the self-signed root CA cert, in order to trust the certs signed by the self-signed root CA Cert. This isn’t a scalable solution when the number of clients grow!
A way to go round this is to use LetsEncrypt Certificates for the LAN - YouTube. Or if our clients are onboarded to a service like Microsoft Intune, we can push down the self-signed root CA automatically, as part of the client’s onboarding workflow.
# Generate another private key. This one will be used# To create the certs for apps running serverresource "tls_private_key" "file_browser" { algorithm = "RSA" rsa_bits = 4096 provisioner "local-exec" { command = "echo '${tls_private_key.file_browser.private_key_pem}' > ./file_browser-private_key.pem" }}resource "tls_cert_request" "file_browser" { private_key_pem = tls_private_key.file_browser.private_key_pem subject { common_name = "file_browser" } dns_names = [ "localhost" ] ip_addresses = [ "127.0.0.1" ]}resource "tls_locally_signed_cert" "file_browser" { // Self signed cert for server cert_request_pem = tls_cert_request.file_browser.cert_request_pem // cert request ca_private_key_pem = tls_private_key.ca.private_key_pem // ca private key ca_cert_pem = tls_self_signed_cert.ca.cert_pem // ca cert pem validity_period_hours = 721 # 30 days allowed_uses = [ "client_auth", "digital_signature", "key_agreement", "key_encipherment", "server_auth", ] provisioner "local-exec" { command = "echo '${tls_locally_signed_cert.file_browser.cert_pem}' > ./file_browser-crt.pem" }}
Server will always to send the digital signature with its X.509 Certificate to client, so client can valid the digital signature with the public key of the Certificate Authority(CA) it trusts. The validation will fail if the X.509 Certificate is manipulated by hackers
Use Terraform to create a self-signed root CA Cert
# Generate a private key so you can create a CA cert with it.resource "tls_private_key" "ca" { algorithm = "ECDSA" ecdsa_curve = "P521"}# Create a CA cert with the private key you just generated.resource "tls_self_signed_cert" "ca" { private_key_pem = tls_private_key.ca.private_key_pem subject { common_name = "ca.yxy.ninja" } validity_period_hours = 720 # 30 days allowed_uses = [ "cert_signing", "crl_signing", ] is_ca_certificate = true provisioner "local-exec" { command = "echo '${tls_self_signed_cert.ca.cert_pem}' > ./yxy-ninja-ca-crt.pem" }}
Show certificate info for a certificate signing request