In many cases, it's preferable to use self-signed SSL certificates for internal applications to avoid the cost of one signed by an external certificate authority. Unfortunately, you can run into problems with some clients and services that won't recognize your self-signed certificate as trusted. In particular, this can affect service hooks that POST
to external services that use self-signed certificates. To avoid problems with service hook payload deliveries, make sure you've followed the steps below to create your internal self-signed certificates and install your root CA certificate on your GitHub Enterprise appliance.
Create a root CA certificate
To begin with, you need to generate the root CA key (this is what signs all issued certs):
openssl genrsa -out rootCA.key 2048
Generate the self-signed (with the key previously generated) root CA certificate:
openssl req -x509 -new -nodes -key rootCA.key -days 365 -out rootCA.crt
You can install this on all machines that will be communicating with services using SSL certificates generated by this root certificate. Typically, you'll want to install this on all of the servers on your internal network.
Generating additional certificates
Once you have the root CA certificate generated, you can use that to generate additional SSL certificates for other sites and services (e.g., Jenkins, internal web services or sites, etc).
To create an SSL certificate you can use for one of your services, the first step is to create a certificate signing request (CSR). To do that, you need a key (separate from the root CA key you generated earlier). To generate a key, run the following:
openssl genrsa -out host.key 2048
Now a CSR can be generated:
openssl req -new -key host.key -out host.csr
Make sure the Common Name (CN) is set to the FQDN, hostname or IP address of the machine you're going to put this on.
The next step is to take a CSR and generate a signed certificate using the root CA certificate and key you generated previously.
openssl x509 -req -in host.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out host.crt -days 365
Now you have an SSL certificate (in PEM format) called host.crt
. This is the certificate you want your services to use.
Install your root CA certificate on your appliance
Use your admin SSH user to scp
the rootCA.crt
file you generated earlier to your Enterprise appliance:
scp rootCA.crt admin@enterprise-hostname:/home/admin
That will put the rootCA.crt
file in the directory you're at when first logging in as your admin user. Now login as your admin user and run this to install the certificate on your appliance:
ghe-ssl-ca-certificate-install -c rootCA.crt
After you've run that, your generated root CA certificate will be installed as a trusted CA for the system.