OPNsense Forum
English Forums => Tutorials and FAQs => Topic started by: qinohe on July 02, 2018, 09:19:11 pm
-
Hello all,
A liitle guide for home 'sensers' not willing to buy or make use of free CRT's or not able to do so.
Set up a chain of trust for your OPNsense and use OPNsense to do that for other local network services.
Though it's not complicated, backup before you proceed.
Once done we would only have one self signed CRT for the OPNsense chain, the root CA which is never exposed.
The number of self signed CA's & signed intermediates is up to you of course, always keep in mind, the chain... and the common name...
Use understandable descriptions for your CRT's
====================
Right lets start the fun part
First go to trust/Authorities and create an internal CA.
This will be the root CA, it does nothing besides sign intermediate CA's, we don't expose nor abuse this one.
Now create a second CA signed by the first one you created and let it be intermediate.
This intermediate will sign the CRT for the OPNsense webserver
Head to trust/Certificates and create the server CRT, use the intermediate to sign it.
Head back to Authorities and download the intermediate CRT and open your browser/preferences & head to certificates/Authorities
Import the intermediate CA CRT you just saved, U still need to trust it.
Go to system/settings/Administration and set the dashboard to use the newly installed CRT for the webgui.
Remove any old OPNsense CRT from your browser restart it (don't know if this step is actually neccesary)
Open up OPNsense dashboard & be presented with a secure site trusted by you and therefore by your browser.
============
Nexcloud users:
Your Nexcloud server is in a local/lab environment.
This one is a little trickier than the previous one.
OPNsense don't know nothing about the self signed CA's intermediates etc. on your OPNsense box
Using self signed CRT's for the backup to Nextcloud can be done roughly the same way we did for OPNsense.
In this case you need to add the root CA to OPNsense CRT store 'ca-root-nss.crt',
and not the intermediate otherwise you would get something like 'verify_result 2',
which means the issuer is unknown because of an incomplte chain --> the CA is missing in this case
There is no need to expose your OPNsense root CA , create at least the next chain:
'CA --> intermediate-CA --> server-crt.'
Download the CA.crt from OPNsense, upload it back to OPNsense, do it safe using something like SCP at least and add it to the store, like this:
'cat nextcloud-CA.crt >> /usr/local/share/certs/ca-root-nss.crt'.
You can't use 'cp' because it needs to be appended to the excisting CRT which is a single file.
Upload the *.p12 server CRT archive from OPNsense to your Nextcloud server.
Extact the archive into a single PEM file: '#openssl pkcs12 -in nextcloud-crt.p12 -out nextcloud-crt.pem -nodes'
Now create the CRT from the PEM '#cp nextcloud-crt.pem nextcloud-crt.crt'
Point your webserver to use the CRT, no need to add the key separately it's included in the CRT.
If you don't want this, check some guides ;)
Some sane permissions '400' read only owner is sufficent, no one going/needs to change it.
Your backup should run on first test.
Download the intermediate CRT and add it to your browser.
Your Nextcloud frontend is now also a trusted site.
Want to remove the CA from the OPNsense store, just use 'vi' and remove the part below '#End of file', if you did only add this CRT!!
WARNING: If 'ca_root_nss' is updated your input is removed, add the CRT overnew, you may script/automate this but I don't see the real advantage it's 5 seconds work.
Performing a 'Health' audit would raise an alert:'checksum mismatch for /usr/local/share/certs/ca-root-nss.crt' which is obvious,
You still check though... perform a audit health check before you add the CA, if okay add the CA and than make a new sum and save it 'cksum ca-root-nss.crt > /home/user/sum.txt'
======================
Servers on your local subnets
The procedure is the same.
'CA --> intermediate-CA --> server-crt'
Create your local webserver CRT and use a CA intermediate to do that, I like to create seperate chains..
Download the server.p12 archive upload it safely to your server f.i. '/etc/ssl/localcerts'
Extract the archive and create the CRT.
Set some sane permissions on it!
Point your server to use the newly installed CRT.
Open your browser and page and see the secure connection is establisched immediately.
Make sure your system/browser know's the intermediate.
========
Openvpn:
There is a good entry in the wiki already
I probably made mistakes, your feedback is valuable.
This guide is based on Linux/Unix though should work for other platforms too, correct me if I'm wrong here.
I don't know how to add CRT's to your phone, please refer to your phones guide for a how to or google.
You can also put the CRT's system wide, check your distro/OS how to do that.
If you have a nice chain, please add it so this can become a fine guide for 'self signers'.
Forgive me for the bad makeup, I make it better over time, the goal is to create a wiki entry about this topic ;)
Keep it trusted mark