Own CA for Intranet server Certificat does not work

Discussion in 'General' started by muekno, Sep 30, 2021.

  1. muekno

    muekno Member HowtoForge Supporter

    I followed this serie https://www.assono.de/blog/zweistufige-ca-infrastruktur-ein-server-zertifikat-erstellen to make an own CA, with my names, imported this to my MAC OS X 10.14.6 and made trusted Checked every step as in the description.
    Created a server certificate sing from the CA and created a web site with ISPConfig 3.2.6 and in the SSL tab copied the certificate and the chain to teh corresponding fields everything from ---begin... to ----end...and save aft selecting the safe option from drop down. It's descriped here too ttps://www.namecheap.com/support/knowledgebase/article.aspx/10153/14/generating-a-csr-on-ispconfig/ too.
    when I try to pen my site with https: (mit Chrom oder Safari) I get connection errors, http works.
    I also tried a certificate made by ISPConfig on a second site, same problem
    Can anybody help me thanks
    Rainer

    the error message
    Diese Website kann keine sichere Verbindung bereitstellen
    test.muekno.de hat eine ungültige Antwort gesendet.

    ERR_SSL_PROTOCOL_ERROR
     
    Last edited: Sep 30, 2021
  2. muekno

    muekno Member HowtoForge Supporter

    In the meantime I tried another solution https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/ that works better. I can go to the web site but I still get the warning. Exploring the certificate I see my root, marked as trusted by my MAC and below the server sertificate. from that everything looks good.
    But there must be a posibility to get a trusted certificate for internal server by an own root CA that works without browser warnings
    Rainer
     
  3. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I think browser warning will always be there for your case of own root CA and I think there is no other possibility except for you to accept and save it.
     
  4. muekno

    muekno Member HowtoForge Supporter

    According to the first, the assomo solution and to others there must be a solution. In a lot of cases, big companies, univeritys etc. the will be intranet web servers and other things with wich you will communicate via https in case of security reasons. But the devices devices should not be reachable over the internet, so the is no possibility to get a let's encrypt certificate and it is not economically to buy certificates by some one providing a trusted CA.
    In these cases normally a private CA ist created, the certs are provided to be downloaded by the user to be imported to their browsers, OS etc.

    So f anyone here will have a working solution please let me know, a link, tip etc. will be apreciated
    Rainer
     
  5. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    The only free solution I know is LE but for that the device(s) must be connected to the internet but do not necessarily have to use http challenge to obtain its SSL certs as dns challenge is also available to do the same and more inclusive of wildcard SSL certs.

    The other way, may be, the use of proxy with or without the combination of dns challenge but my knowledge amd experience in proxy is very limited especially in terms using it in obtaining LE SSL certs.
     
  6. muekno

    muekno Member HowtoForge Supporter

    Partly success.
    I followd https://gist.github.com/Soarez/9688998
    created a CA and a wildcard cert and a chain for my domain
    entered the key, cert and chain in the test website created with ISPConfig
    install firefox as is has its one CA store and added the created CA and made ist trusted.
    call the test website with https, it opend without any warning, looked on the certificate, the CA was marked OK trusted the wildcard certificate too.
    the converted then pem formated CA cert to pfx (OS X needs this) and imported it in the keychain and marked it trustet. The I opend then website with safari, everythings OK, opens without a warning, examine the certs the root cert is marked ok and trusted the wildcard vert ist marked trusted.
    added the key cert and chain to my other internal websites, can open them without any warning from firefox an safari.
    But if i try to open any of them with chrom, chrome uses the OS X keychain as well so far I know) it gives me a warning until I come to the website.
    And it shows me an unsecure. But if i examine the cert in chrome it tells me the CA is valid and trusted and the wiidcard cert ist valid.
    Whats the hack ist there going wrong?
    Thank for any hint
    Rainer
     
  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I came accros this youtube video recently and I think what you are trying to achieve is mentioned in there.



    The only gotcha that I can see is your networks must go under the same pfsense, meaning that they are managed an accessed locally, not externally.
     
  8. muekno

    muekno Member HowtoForge Supporter

    Finaly found a working solution at https://gist.github.com/Soarez/9688998
    but used the modified version from comment from "MacCliF commented on 10 May 2020"
    You just habe to enter your data.
    You just to do this for the CA part.
    To simplify creating server certs I created the following script. Important I used .cnf instead of .conf as extension so you should recongnize in the CA part.
    if the CA is created you must import this to your host OS and make ist trustet for browsers like safari or chrome etc. and to the browser itself for firefox etc. If you have OS X you have to convert it to .pfx
    Code:
    openssl pkcs12 -in your_name-ca.crt  -export -nokeys -out your_name-ca.pfx
    Here is the script
    Code:
    #! /bin/bash
    # Script to generate SSL certificates signed by private CA
    # We need this to avoid browser wornings accessing intranet
    # websites vi SSL
    # this ist bases on https://gist.github.com/Soarez/9688998
    # and the comment from "MacCliF commented on 10 May 2020"
    # who compressed the based tutorial to the necessary and
    # added .cnf files to make everything easier
    # As the CA has to be created only once I did not make an extra script
    # to create the CA and you should refer to the refenrenced article
    
    # first we need to get all information
    echo -e "\033[1m"
    echo -e "\033[31mYou are about generating a new server certficate"
    echo -e "is that what you want, continue (y/N) \033[0m"
    read ok
    if [ "$ok"  != "y" ] ; then
            echo -e "\033[31mleaving script!\033[0m"
            exit 1
    fi
    echo -e "\033[1mYou will be ask all needed information\033[30m"
    echo -e "\033[1mEnter Servername: [test]\033[30m"
    read server_name
    # echo -e "\033[1myou entered \033[32m$server_name\033[30m"
    echo -e "\033[1mEnter Domain: [example]\033[30m"
    read domain_name
    # echo -e "\033[1myou entered \033[32m$domain_name\033[30m"
    echo -e "\033[1mEnter TLD: [org]\033[30m"
    read tld_name
    #echo -e "\033[1myou entered \033[32m$tld_name\033[30m"
    # check certificate exists
    if test -f  "$server_name"_"$domain_name"_"$tld_name".crt ; then
            echo  -e "\033[31m Certificate for $server_name.$domain_name.$tld_name exists\033[30m"
            echo  -e "\033[31m leaving script\033[30m"
            exit 1
    else
            echo ""
            echo "Filenames created will be"
            key_filename="$server_name"_"$domain_name"_"$tld_name".key
            echo "$key_filename"
            csr_filename="$server_name"_"$domain_name"_"$tld_name".csr
            echo "$csr_filename"
            crt_filename="$server_name"_"$domain_name"_"$tld_name".crt
            echo "$crt_filename"
            req_filename=req."$server_name"_"$domain_name"_"$tld_name".cnf
            echo "$req_filename"
            bundle_filename="$server_name"_"$domain_name"_"$tld_name".bundle.crt
            echo "$bundle_filename"
            host_name="$server_name"."$domain_name"."$tld_name"
            echo -e "your full server name is:\033[32m" 
            echo $host_name
            echo -e "\033[0m"
            echo "correct? [y/N]"
            read ok
            if [ "$ok"  != "y" ] ; then
                    echo -e "\033[31mleaving script!\033[0m"
                    exit 1
            else
                    echo -e "\033[31mcontinue createing certificate\033[0m"
            fi
    fi
    echo [ req ] > ./$req_filename
    echo default_bits = 2048 >> ./$req_filename
    echo default_keyfile = "$key_filename" >> ./$req_filename
    echo encrypt_key = no >> ./$req_filename
    echo default_md = sha256 >> ./$req_filename
    echo prompt = no >> ./$req_filename
    echo utf8 = yes >> ./$req_filename
    echo distinguished_name = my_req_distinguished_name >> ./$req_filename
    echo [ my_req_distinguished_name ] >> ./$req_filename
    echo C=DE >> ./$req_filename
    echo ST=Bayern >> ./$req_filename
    echo L=Rednitzhembach >> ./$req_filename
    echo O=IB Mueller-Knoche >> ./$req_filename
    echo OU=IT >> ./$req_filename
    echo CN="$host_name" >> ./$req_filename
    echo [ my_extensions ] >> ./$req_filename
    echo keyUsage=critical, digitalSignature, keyEncipherment >> ./$req_filename
    echo basicConstraints=critical,CA:FALSE >> ./$req_filename
    echo extendedKeyUsage=critical,serverAuth >> ./$req_filename
    echo [email protected]_subject_alt_names >> ./$req_filename
    echo subjectKeyIdentifier = hash >> ./$req_filename
    echo [ my_subject_alt_names ] >> ./$req_filename
    echo DNS.1 = "$host_name" >> ./$req_filename
    echo "create CSR file"
    #echo openssl req -new -out $csr_filename -config $req_filename
    openssl req -new -out $csr_filename -config $req_filename
    echo "create CRT file"
    #echo openssl ca -config sign.ca.cnf -extfile $req_filename -extensions my_extensions -out $crt_filename -infiles $csr_filename
    openssl ca -config sign.ca.cnf -extfile $req_filename -extensions my_extensions -out $crt_filename -infiles $csr_filename
    echo "create bundle"
    #echo cat $crt_filename mueller-knoche-ca.crt > $bundle_filename
    cat $crt_filename mueller-knoche-ca.crt > $bundle_filename
    
    i tested this with with certificates for different domains. That means the CA work for any domain. All what you have to do is enter the SSL key the SSL crt and the SSL Bundle in the fields on the SSL tab in ISPConfig and select save certificate in the drop down box and click Save.
    Hope this will be usefull to somebody

    Rainer
     
  9. muekno

    muekno Member HowtoForge Supporter

    Securing an Intranet ISPConfig Panel. Create a certificate with the above method. Replace the content of ispserver.key in /usr/local/ispconfig/interface/ssl/ with the content of created private key and the content of the cert in /etc/ssl/certs/ the link /usr/local/ispconfig/interface/ssl/ispserver.crt points to with you new created cert. Restart apache and close and reopen the panel. you will see a trusted site
    Hope it will usefull for someone

    Rainer
     

Share This Page