Create Self-Signed TLS Certificates

When You Should Do This

If you have an internal/demo/test server where you'd like to encrypt traffic between a client and server, you can create a self-signed certificate. This is not good practice for production servers. Whenever possible, you should request certificates from trusted Certificate Authorities and use a certificate for a verified domain. Unless you have split DNS where your internal domain uses the same domain as the external zone, then this will not be possible.

Create the Self-Signed Certificate

REMEMBER! When you navigate to the service configured with this certificate, the certificate is not going to be trusted.

# I like creating the certificate and key files using the service name
# Certifiacte expires in 10 years (3650 days)
openssl req -new -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out /etc/ssl/service-name.crt -keyout /etc/ssl/service-name.key
chmod 400 /etc/ssl/service-name.key

Defining the Inventory

Defining Group Variables and Protecting Secrets

Example Playbook from Start to Finish

Automating with AWS Secrets Manager

Installing FleetDM Management Server

Adding FleetDM Hosts via Ansible

Adding Default Queries Library

Upgrading Fleet Versions

Troubleshooting

Modify the Wazuh Dashboards Session Timeout

Clustering: Same ZFS Pool on All Nodes

NFS: LXC Backups Permissions Issue (Synology)

Create Self-Signed TLS Certificates

When You Should Do This

Create the Self-Signed Certificate