OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: mayo on September 18, 2017, 01:43:52 pm

Title: certificate for Firefox Certificate Internal
Post by: mayo on September 18, 2017, 01:43:52 pm
I everybody, I'm new user installed Opnsense at home on a apu 2c4d board. Everything works fine (simple installation now, just DHCP and some rules). I would like to create a certificate for the management webpage reached on internal LAN. Every time I try to login firefox says me that it can't validate the certificate, neither I can import it. Any step by step guide to trust my internal browser(s)? Thank you so much!
Title: Re: certificate for Firefox Certificate Internal
Post by: franco on September 18, 2017, 02:02:18 pm
Hi there,

For the web GUI itself or the web proxy?


Cheers,
Franco
Title: Re: certificate for Firefox Certificate Internal
Post by: mayo on September 18, 2017, 02:17:29 pm
Hi Franco, just for the web GUI, for the moment I have the web proxy disabled.
Thank you!
Title: Re: certificate for Firefox Certificate Internal
Post by: franco on September 19, 2017, 06:49:39 am
Hi mayo,

The normal web GUI certificate is self-signed, which means you can only import the certificate itself into your local store to make the warning go away (or set e.g. Firefox to "permanently" accept).

You could also create a new CA from System: Trust: Authorities, create a new certificate from it under System: Trust: Certificates, and use that certificate as the web GUI one via System: Settings: Administration. With a CA, you can install the CA in your local store for the client(s) so that all certificates by this CA are trusted now and in the future.

You can also get a real certificate from a vendor or Let's Encrypt (we have a plugin under System: Firewall: Plugins named "os-acme-client"). Manual certificates are imported under System: Trust: Certificates, or you could do a Certificate Signing Request from there. Let's Encrypt plugin automatically creates, imports and renews certificates, but it's a bit over the top for a small install where you only want local access for that one box.

Hope this helps.


Cheers,
Franco
Title: Re: certificate for Firefox Certificate Internal
Post by: mayo on September 19, 2017, 12:13:22 pm
Hi Franco, thank you for the reply!
Firefox dosn't let me dowload locally the defaul certificate.
I will try as soon I'll get home making a new internal CA as you suggested in point 2.   ;)

Title: Re: certificate for Firefox Certificate Internal
Post by: fabian on September 19, 2017, 12:15:45 pm
The CA has the advantage that you can use it in the proxy too ;)
Title: Re: certificate for Firefox Certificate Internal
Post by: mayo on September 28, 2017, 04:19:30 pm
Hi , I followed your advices to add a CA and create a certificate. Everything works fine in opnsense, added certificate to osx keychain but firefox dosn't recognized it  :'(
Title: Re: certificate for Firefox Certificate Internal
Post by: fabian on September 28, 2017, 04:33:18 pm
@mayo:

firefox has its own certificate store and does not use the system store. You have to import the certificate into both.
Title: Re: certificate for Firefox Certificate Internal
Post by: mayo on September 29, 2017, 08:44:19 am
@fabian perfect, I'll do in the afternoon! thanks!
Title: Re: certificate for Firefox Certificate Internal
Post by: andreab on November 30, 2017, 02:59:04 am
Hi!

I had to fiddle a bit to get this to work but I think I nailed it. :-)

Franco - thank you for your explanation, it's been the best I could find so far.

I want to extend a bit on what I did exactly in case that might help someone else in my situation.


1) I created my internal self-signed CA (under System: Trust: Authorities).
2) Then under "System: Trust: Certificates" I "Create an internal Certificate" selecting "Server Certificate" as Type, and selecting the CA created at step 1)
3) I've exported the CA certificate created at step 1) into my Linux system but that was not enough, as Firefox seems to use a separate store for the CA, so I had to import it into Firefox too separately.
4) Switched the SSL certificate used for HTTPS under "System: Settings: Administration" to the newly created at step 2), and save.


Hope it helps.

Regards,
Andrea