Docs

Documentation

How to use our services.

Introduction

We provide SSL/TLS certificates for local infrastructure, to ensure protection for all your assets.

We do not provide certificates for websites accessible to the public. You can get one using Gandi 🇫🇷 or Let's Encrypt.

We provide certificates for :

VPN to ensure server authentification and integrity as well as client authentification and integrity.
Local websites to ensure security over the local network and avoid browser warnings.
Emails to ensure authentification, integrity and security for exchanges.

VPN certificates

This document is based on OpenVPN but you can use another VPN service. If you use Linux, you can download it using: # apt install openvpn

SSL/TLS ensures protection using a TLS handshake and ensures authentification and integrity by validating the server identity as well as client identity. You can create a server certificate (like websites one) and client certificate to ensure that all clients are allowed to access the VPN network. In OpenVPN 2.6, server configuration must follows :


tls-server
verify-client-cert require #Require all clients to have a certificate
remote-cert-tls client
ca ca_file.pem #File containing the SSL VPN Root certificate, accessible in files

cert yourcert.pem #Your certificate created

key yourkey.pem #Your private key of the certificate

Your private key must be kept secret and must not be shared, even with us. On your server, it should only be accessible to root. You can also check OCSP status using the script available in FAQ. Without it, your server cannot check if you revoke the certificate online! You can create certificates for up to a year depending on your plan.

Server/Web certificates

You can use our certificates to provide local access to websites. As we only deliver certificates for local websites, you can only create a common name ending with .local. Those domains are restricted to local web and cannot be accessible in the web. Therefore, you can use the name you want. You then just need to import the full certificate and the key to your webserver. For example on Apache :


SSLEngine on

SSLCertificateFile path/to/fullcert 

SSLCertificateKeyFile path/to/key

Then restart Apache and try to connect using https://. If you get an error saying "The root certificate is not known", it is working but you need to import TLS VPN certificates on your browser in Settings->Certificates->Import.

Email certificates

You can use email certificates to ensure that your SMTP server only accepts emails sent from a valid certificate. You can import your certificates in your email sender in Settings and set SMTP validation in your SMTP server.