OPNsense Forum
English Forums => General Discussion => Topic started by: balubeto on October 14, 2018, 05:54:28 pm
-
Hi
I have a LAN network managed by a hardware firewall that has OPNsense 17.8.4 64 bit.
To access the firewall, I use Chrome 69.x.x.x 64 bit.
I would like to access this firewall using the https protocol.
So, with OPNsense, how do I create a valid auto-certificate, export it and import it into Chrome?
Thanks
Bye
-
Chrome usually uses the system certificate store so you just have to import a custom CA from OPNsense into it and then sign a new certificate signed by it to the web interface.
-
Hi balubeto, there is a howto for creating self-signed chains, exporting and importing them.
Should give you some clues.
https://wiki.opnsense.org/manual/how-tos/self-signed-chain.html
Greetings, mark
-
Hi balubeto, there is a howto for creating self-signed chains, exporting and importing them.
Should give you some clues.
https://wiki.opnsense.org/manual/how-tos/self-signed-chain.html (https://wiki.opnsense.org/manual/how-tos/self-signed-chain.html)
Greetings, mark
Once I have created and exported a self-certificate, how do I import it in Chrome?
Thanks
Bye
-
Go to; Settings>Advanced>Privacy and Security>Manage Certificates>IMPORT
Once done restart browser -> ready ;D
Greetings, mark
edit:btw. you can also import it in your OS/Distro certificate store, though you need to figure out how your OS/distro handles that.
-
I followed your guide, I imported the OPNsense+self-certificate.p12 file, I activated the https protocol, I imported this certificate in Chrome without any problems and I restarted it.
At this point, every time I try to access its Login web page, Chrome doesn't let me access it because it tells me that the certificate is not valid. How come?
Now, how do I regain the firewall control?
Thanks
Bye
-
SSH / Serial -> Menu -> Restore Configuration
-
SSH / Serial -> Menu -> Restore Configuration
Well, use that as a second option :P
Are you willing to install Firefox, and try the same, import the certificate into it's store, I remember people having trouble importing CRT's in Chrome/Chromium. Meaning your still bugged by that message:'invalid authority', at least something like that.
Unless you added it to the distro/OS certificate store, remove it and create the CRT. chain over new, there is something wrong with it's configuration.
Greetings, mark
-
SSH / Serial -> Menu -> Restore Configuration
Is it possible to access via telnet? If so, what is its listening port?
-
Is it possible to access via telnet? If so, what is its listening port?
No, for security reasons that will also not be added in the future but SSH is there if you have enabled it before. By default it listens on port TCP/22 which is the standard port of SSH.
-
Since I have Windows 7 SP1 64 bit, I have installed Putty 64 bit to access the firewall.
Leaving the default values of Putty, when I try to perform the Login, this message appears (see attachment). How come?
Thanks
Bte
-
Have a look at the 'key format' in putty.
Should be in the form of:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdQKkkD6v... user@host
If there is more than that, remove it and try again.
Greetings, mark
-
Have a look at the 'key format' in putty.
Should be in the form of:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdQKkkD6v... user@host
If there is more than that, remove it and try again.
Greetings, mark
Where can I find the ssh-rsa string so that it can be inserted in the Key field in the Connection ---> SSH ---> Host keys of Putty?
Thanks
Bye
-
You have to export the public key to the OpenSSH format.
-
I don't have any idea. I exported a p12 file (see attachment).
Thanks
Bye
-
You should not generate a certificate. A SSH key is generated on the command line using the following command:
ssh-keygen -t ed25519
If you use putty, you can use the puttygen tool to generate a new key pair.
-
You should not generate a certificate. A SSH key is generated on the command line using the following command:
ssh-keygen -t ed25519
If you use putty, you can use the puttygen tool to generate a new key pair.
With PuttyGen, I created a copy of keys and then tried to connect with the firewall but it displayed the "Server refused our key"message . How come?
Thanks
Bye
-
then you have pasted the wrong format.. I don't have putty but I am pretty sure it supports the correct openssh format for public keys.
-
Being able to act on the OPNsense VGA console, how do I disable the https protocol and enable the http protocol so that I can again access the GUI using the last protocol?
Thanks
Bye
-
It usually asks if you reconfigure an interface.
-
It usually asks if you reconfigure an interface.
I'm sorry, how do I reconfigure an interface?
Thanks
Bye
-
option 2 in the menu.
-
Thanks to you, I have been able to access the GUI via the http protocol.
I want, however, to use the https protocol, I created again the chain of self-certificates described by your guide.
Now, I attach the Certificates page because I would like you to tell me which button I should click to export this certificate to be able to import it and use it in Chrome.
Thanks
Bye
-
I don't know how it is called in your language but you should use the export certificate button which does NOT include the private key.
-
I don't know how it is called in your language but you should use the export certificate button which does NOT include the private key.
In English, what is this button called and where is it?
Thanks
Bye
-
Hey balubeto, you did not do what is on that wiki page, at least not exactly, I can tell from that picture^^
To prevent things going wrong, remove that chain create the chain(again) following that wiki page by the letter.
If you did that, export ca crt, button is the same name.
Greetings, mark
-
Also, the reason it's (probably) not working in Chrome/Chromium is because of 'SAN' - Subject Alternative Name'.
Now I would like to see the filled in 'CN -Common Name' to be translated to 'SAN' automatic, but that's not the case - devs?
So, you should translate that to the form exactly. If you did that there is no guaranty from me that it works the way you expect (in Crome).
Change to a different browser if you insist on using self-signed certs., would make it easier on you :D
Greetings, mark
-
As your guide has not been updated, in attachment, I have summarized the two tables of the Trust in English.
Now, I would like to know if you find something wrong and how I can export the certificate so that Chrome can use it without any problems.
Thanks
Bye
-
I quote from the wiki
The thirth certificate will be a server certificate signed by the intermediate CA we just created. This will also be the last one we create for this chain.
The certificate you have generated is neither a server or a CA.
Greetings, mark
-
I quote from the wiki
The thirth certificate will be a server certificate signed by the intermediate CA we just created. This will also be the last one we create for this chain.
The certificate you have generated is neither a server or a CA.
Greetings, mark
Sorry, but I only created a self-certificate.
Thanks
Bye
-
Sorry, but I only created a self-certificate.
Why on earth you want to do that, what are you trying to accomplish?
If you go down that rabbit hole, be my guest, but I can't help you doing that ;)
Greetings, mark
-
Sorry, but I only created a self-certificate.
Why on earth you want to do that, what are you trying to accomplish?
If you go down that rabbit hole, be my guest, but I can't help you doing that ;)
Greetings, mark
I'm simply trying to export a self-certificate so that I can import it in Chrome to access the firewall using the https protocol.
Since you now have the images of my firewall in English, can you tell me how to proceed?
Thanks
Bye
-
click the download button "export CA cert" and import it into your trust store (this is specific for your OS)
-
click the download button "export CA cert" and import it into your trust store (this is specific for your OS)
This button is located in the "System: Trust: Authorities" panel. Right?
Thanks
Bye
-
yes
-
I'm sorry that I misunderstood you, I thought you were doing the whole thing without a CA, CRT only, I guess that's clear now.
Greetings, mark
-
When I create a certificate in the "System: Trust: Certificates" tab, can I put the full name (xxxxx.yyyyyy) of the firewall and its URI (https://xxxxx.yyyyyy) respectively in the "Common Name" and "Type URI" fields?
Thanks
Bye
-
Yes, though, it only accepts the full URL, like: https://my.domain
-
Using Chrome for Windows 7 SP1, in which type of certificates archive should I insert my intermediate certificate exported from OPNsense?
Thanks
Bye
-
See post #4 of this thread.
Greetings, mark
-
After importing my self-certification in chrome and enabling the HTTPS protocol to access the firewall webGUI, every time I access this via web, Chrome displays the " Privacy error" page before accessing the Login page (see attachments).
In addition, I noticed that, in the address bar, the words "Not secure" and "https" are displayed. How come?
How should I resolve these annoyances?
Thanks
Bye
-
Since your screenshot looks like Windows 7 - here is some official documentation:
https://docs.microsoft.com/en-us/skype-sdk/sdn/articles/installing-the-trusted-root-certificate
-
Since your screenshot looks like Windows 7 - here is some official documentation:
https://docs.microsoft.com/en-us/skype-sdk/sdn/articles/installing-the-trusted-root-certificate
I have Windows 7 SP1 64bit.
From OPNsense, should I export the root or intermediate certificate?
Should the steps indicated in your document be done for each account or only by the administrator?
Thanks
Bye
-
I am awaiting your reply.
Thanks
Bye
-
I am an Arch Linux user. It it different here.
In my case it would be:
Store in /etc/ca-certificates/trust-source/anchors and call trust extract-compat.