leeand00's picture

I was reading about configuration files for OpenSSL and was wondering if it was possible to configure my openssl certificates prior to first boot, and if there was some place where the certificate request (csr) would appear after first boot, so I could send it into my certificate authority.

By default they appear to be configured correctly with SHA256+TLS1.2 and a keysize of 2048 bits, but of course you need to add other parameters to the csr to request a verified certificate; is there anyway to preconfigure this?

 

Forum: 
Jeremy Davis's picture

By default TurnKey includes shared self-signed SSL certs; but generates unique ones at first boot. You could certainly alter and/or adjust these as you see fit; although if you have some ideas on making TurnKey better then we're always happy to hear about that. Keep in mind though that we need to balance ease of use and user experience with security... :)

Here are some links to the code that is included in TurnKey which maybe of interest:

  • Pre-created certs which all appliances include:
    https://github.com/turnkeylinux/common/tree/master/overlays/turnkey.d/ss...
  • Default cert locations and permissions:
    https://github.com/turnkeylinux/common/blob/master/conf/turnkey.d/sslcert
  • The firstboot script that initiates the regeneration process:
    https://github.com/turnkeylinux/common/blob/master/overlays/turnkey.d/ss...
  • The script that actually does the heavy lifting:
    https://github.com/turnkeylinux/common/blob/master/overlays/turnkey.d/ss...
  • And the config file it uses:
    https://github.com/turnkeylinux/common/blob/master/overlays/turnkey.d/ss...

    Hopefully that gives you some insight into how we already do things. I'd be interested to hear more about your ideas so even if you don't want to commit some code it'd be great if you shared.

    Also for context, the reason why we do all this stuff at firstboot rather than during install: The reasoning is because we distribute in a lot of different formats and only ISO install supports doing stuff at "install" (all the other builds are already installed...)

  • Add new comment