Proper way to sign cert from a domain CA?

[implode]

The doco on this is very vague. I spent a few hours on this yesterday. I simply want to create a CSR and sign it by our Windows domain CA. Our security team and vuln scanner flag self-signed certs and they're just going to make me fix it later anyways.

I have found nothing about importing a chain... and the only other way to complete the chain is to import the root CA cert with a key and password? We don't exactly keep that hanging around for obvious reasons.........

Can someone give me a hand?

thanks!

 

[Mirfster]

Give this a watch: "FreeNAS 9.10 - Certificate Authority & SSL Certificates"

Or have a read of this: http://doc.freenas.org/9.10/freenas...&utm_campaign=certificate+authority+video#cas

 

[implode]

Thanks Mirfster. It helped a bit... but had one major epiphany. Without the ability to chain - FreeNAS would require the private key to be imported with my root cert. So is it more important to have a non self-signed cert or is it too risky to have our root cert + private key sitting on the FreeNAS box. I guess i'll hold off for now.

 

[danb35]

I'm not sure how relevant my experience is, but FWIW, I've obtained a cert from Let's Encrypt for my FreeNAS box. To configure the FreeNAS box, I pasted in the "fullchain.pem" contents (which consist of the intermediate CA cert plus my server's cert) in the Certificate field, and my server's private key in the Private Key field. I did not import the CA at all, and really don't see the purpose of doing so.