$ /bin/cormier --tagline

Following up from my recent post on a NAS device I had built and used for Linux containers, I had built using a Synology NAS. I have since added more memory to the device, maxing out the memory that the vendor supported 16GB. I have seen unsupported configuration with 20GB on the internet, I have not ventured into this area yet.

I have also migrated what resources and containers I had in Docker to be managed by Terraform, HashiCorp’s Infrastructure as Code (IaC) tool. Which was a lot of re-creating of what I already had created, Docker volumes, images, and containers.

I backed up current volume data to restore. Grafana and InfluxDB. Now all Docker resources are done through Terraform configuration and kept in source repository.

Setting up BIND can be a challenge in of itself. Interfaces can be make things easier, but it isn’t always quiet obvious how-to go about achieving what you want, and still require some knowledge of BIND/named configuration.

As with OPNsense DNS plugin, can be quite tricky to get right. This post is how I got my internal domain, hq.cormier.co, setup in OPNsense, complete with reverse zones.

I recently purchased a Synology DS920+ NAS to use as a host for Linux containers and manage it via the Docker API and Terraform. This post is how I got the device to do exactly that. As to the name of the device, it is named after a ReBoot character.

I have been doing some work with security certifcates lately and had the chance to document the creation of PKCS12/PFX archives using command line tools without first having CSR/private key in a key store.

Most are familar with the following work flow of obtaining a security certificate…

• Generate Certificate Signing Request (CSR)
  • This generates a private key (sometimes out of interface scope)
• Submit CSR to Certificate Authority (CA) for certificate generation
  • Internal Windows CA - certsrv
  • Public CA like - GoDaddy
• Retrieve certificate bundle from CA
• Import into keystore used to create CSR
  • The private key lives here (sometimes with no interface to manage, Windows for example)
• Export PFX archive that includes certificate, private key, and CA certificate(s) protected with password
  • Include private key in the export

Voila! PFX Archive!

But… if you have the private key on a file system some where and not in a key store (Windows or Java), the work flow changes.

Note: Remeber to password protect any export of certificates with private keys with strong passwords

To bundle those together in a PKCS12/PFX archive file you can use OpenSSL command line tool, I am sure there are others. Available on all major flavors of Linux and installable other operating systems.