first pass

content/about.md

@@ -15,6 +15,4 @@ about technology and other passions of mine.
 
 
 
-
-
 Content on this site is [CC-BY-SA](https://creativecommons.org/licenses/by/3.0/)

content/posts/create-your-own-ca-cert.md

@@ -0,0 +1,101 @@
+---
+title: "Creating and Using a CA Certificate"
+description: ""
+date: "2023-01-27"
+tags:
+- SSL
+draft: false
+---
+
+Even though there are plenty of free SSL certificate options, you may need to manage your own SSL certs for various reasons.
+
+Below is how to create a CA certificate and issue certs signed with it, as well as some validation steps to make sure you did everything right.
+
+All examples here use the [openssl](https://www.openssl.org/docs/man1.1.1/man1/) cli tool.
+
+
+## Creating the Certificate Authority's Certificate and Keys
+
+1.  Generate a private key for the CA:
+```sh
+$ openssl genrsa 4096 > ca-key.pem
+```
+
+2.  Generate the X509 certificate for the CA:
+```sh
+    $ openssl req -new -x509 -nodes -days 3650 -sha256 \
+	   -subj "/C=US/ST=CO/O=My Org, Inc./OU=Engineering/CN=ca.example.internal" \
+       -key ca-key.pem \
+       -out ca-cert.pem
+```
+
+## Creating the Server's Certificate and Keys
+
+1.  Generate the private key and certificate request:
+```sh
+$ openssl req -newkey rsa:4096 -nodes -days 3650 -sha256 \ # -newkey if you need a new private key
+	-subj "/CN=mysite.example.internal" \ # exclude this and you will get interactive prompts
+	-keyout server-key.pem \
+	-out server-req.pem
+
+# if you already have a private key
+$ openssl req -new -nodes -days 3650 -sha256 \
+	-subj "/CN=mysite.example.internal" \
+	-key server-key.pem \
+	-out server-req.pem
+
+# if you want to add SANs
+$ openssl req -new -nodes -days 3650 -sha256 \
+	-subj "/CN=mydomain.com" \
+	-reqexts SAN \
+	-config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:test.example.internal,DNS:www.example.internal")) \ # to add SANs
+	-key server-key.pem \
+	-out server-req.pem
+```
+
+
+2.  Generate the X509 certificate for the server:
+
+> `-days` expiration can be no longer than 398 days (13 months) (thanks [Apple](https://support.apple.com/en-us/HT211025))
+> https://www.globalsign.com/en/blog/maximum-ssltls-certificate-validity-now-one-year
+> `-set_serial` is like an ID number for each cert. It must be a positive integer and unique to each cert signed by the CA.
+> `date +%s` prints the current number of seconds since the Epoch (00:00:00 UTC, January 1, 1970). See [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2 "https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2") for details
+
+```sh
+$ openssl x509 -req -days 398 -set_serial $(date +%s) -sha256 \
+   -in server-req.pem \
+   -out server-cert.pem \
+   -CA ca-cert.pem \
+   -CAkey ca-key.pem
+
+# if you want to add SANs
+$ openssl x509 -req -days 398 -set_serial $(date +%s) -sha256 \
+	-extfile <(printf "subjectAltName=DNS:my.domain.com") \
+	-in server-req.pem \
+	-out server-cert.pem \
+	-CA ca-cert.pem \
+	-CAkey ca-key.pem
+```
+
+## Verifying the Certificates
+
+1.  Verify the server certificate:
+
+```sh
+    $ openssl verify -CAfile ca-cert.pem \
+       ca-cert.pem \
+       server-cert.pem
+```
+
+2.  Verify the client certificate:
+```sh
+    $ openssl verify -CAfile ca-cert.pem \
+       ca-cert.pem \
+       client-cert.pem
+```
+
+## Verify the certificate's content
+
+```sh
+openssl x509 -in mydomain.com.crt -text -noout
+```

content/posts/golang-makefiles.md

@@ -5,16 +5,16 @@ tags: [make, golang]
 draft: false
 ---
 
-[Make is a build automation tool from the late 70's][make-wiki] that's pretty popular in C and C++ world. Thanks to its age and 
+[Make is a build automation tool from the late 70's][make-wiki] that's pretty popular in C and C++ world. Thanks to its age and
-popularity you can find tons of tutorials and Make is supported on basically every platform out there. I'm going to 
+popularity you can find tons of tutorials and Make is supported on basically every platform out there. I'm going to
 demonstrate how to set up a basic Makefile for Golang projects that will build, lint and test your code.
 
 Make has a few simple rules that make it powerful, it expects that each task you create will be the name of an output file
-on disk. This is nice because if a file already exists with the same name as a task then Make will skip doing the work 
+on disk. This is nice because if a file already exists with the same name as a task then Make will skip doing the work
 for that task.
 
 
-## Building 
+## Building
 
 For example if you create the following `Makefile` below and place it in the root of your project and run `make`, you will
 see a new `hello_world` binary built:
@@ -32,7 +32,7 @@ make: 'hello_world' is up to date.
 
 So lets add a clean command to clean up the build output:
 
-```makefile {linenos=table,hl_lines=["4-5"]}
+```makefile {hl_lines=["4-5"]}
 hello_world:
   go build -o hello_world main.go
 
@@ -40,10 +40,10 @@ clean:
   rm -rf ./hello_world
 ```
 
-One issue here is that the `clean` task will only work as long as there isn't a file in the project also named `clean`. 
+One issue here is that the `clean` task will only work as long as there isn't a file in the project also named `clean`.
 If you want Make to ignore the file system for this task then you can add an entry to the `.PHONY` list:
 
-```makefile {linenos=table,hl_lines=[7]}
+```makefile {hl_lines=[7]}
 hello_world:
   go build -o hello_world main.go
 
@@ -56,7 +56,7 @@ clean:
 ## Testing
 
 Next we can run tests. You can define variables in your makefile that run shell commands for their value. I'm running
-`go list` and filtering out the `vendor` folder so we can run tests for every package in our project. Remember to add 
+`go list` and filtering out the `vendor` folder so we can run tests for every package in our project. Remember to add
 that `test` task to the `.PHONY` list:
 
 ```makefile
@@ -68,11 +68,11 @@ test:
 .PHONY: test
 ```
 
-## Linting 
+## Linting
 
-Now that we can build and test our code, lets try to lint it. My lint tool of choice is [golangci-lint][golangcilint] 
+Now that we can build and test our code, lets try to lint it. My lint tool of choice is [golangci-lint][golangcilint]
-so I like to add an install task that runs `go get` to install it. To do this I take advantage of a Make feature called 
+so I like to add an install task that runs `go get` to install it. To do this I take advantage of a Make feature called
-prerequisite tasks, where you can list tasks that are required to execute before another task runs. This makes it easy 
+prerequisite tasks, where you can list tasks that are required to execute before another task runs. This makes it easy
 to set up the install task as a dependency of our `lint` command, ensuring its installed every time we run it:
 
 ```makefile
@@ -94,7 +94,7 @@ your commands in. The `-euo pipefail` runs your commands in a type of [strict mo
 errors as they happen and make your life debugging shells scripts generally much easier.
 
 ```makefile
-.SHELLFLAGS := -euo pipefail 
+.SHELLFLAGS := -euo pipefail
 PKGS := $(shell go list ./... | grep -v vendor)
 LINT_BIN := $(GOPATH)/bin/golangci-lint