Hi
I have a LAN network managed by a hardware firewall that has OPNsense 17.8.4 64 bit.
To access the firewall, I use Chrome 69.x.x.x 64 bit.
I would like to access this firewall using the https protocol.
So, with OPNsense, how do I create a valid auto-certificate, export it and import it into Chrome?
Thanks
Bye
Chrome usually uses the system certificate store so you just have to import a custom CA from OPNsense into it and then sign a new certificate signed by it to the web interface.
Hi balubeto, there is a howto for creating self-signed chains, exporting and importing them.
Should give you some clues.
https://wiki.opnsense.org/manual/how-tos/self-signed-chain.html
Greetings, mark
Quote from: qinohe on October 14, 2018, 07:16:29 PM
Hi balubeto, there is a howto for creating self-signed chains, exporting and importing them.
Should give you some clues.
https://wiki.opnsense.org/manual/how-tos/self-signed-chain.html (https://wiki.opnsense.org/manual/how-tos/self-signed-chain.html)
Greetings, mark
Once I have created and exported a self-certificate, how do I import it in Chrome?
Thanks
Bye
Go to; Settings>Advanced>Privacy and Security>Manage Certificates>IMPORT
Once done restart browser -> ready ;D
Greetings, mark
edit:btw. you can also import it in your OS/Distro certificate store, though you need to figure out how your OS/distro handles that.
I followed your guide, I imported the OPNsense+self-certificate.p12 file, I activated the https protocol, I imported this certificate in Chrome without any problems and I restarted it.
At this point, every time I try to access its Login web page, Chrome doesn't let me access it because it tells me that the certificate is not valid. How come?
Now, how do I regain the firewall control?
Thanks
Bye
SSH / Serial -> Menu -> Restore Configuration
Quote from: fabian on October 16, 2018, 05:51:13 PM
SSH / Serial -> Menu -> Restore Configuration
Well, use that as a second option :P
Are you willing to install Firefox, and try the same, import the certificate into it's store, I remember people having trouble importing CRT's in Chrome/Chromium. Meaning your still bugged by that message:'invalid authority', at least something like that.
Unless you added it to the distro/OS certificate store, remove it and create the CRT. chain over new, there is something wrong with it's configuration.
Greetings, mark
Quote from: fabian on October 16, 2018, 05:51:13 PM
SSH / Serial -> Menu -> Restore Configuration
Is it possible to access via telnet? If so, what is its listening port?
Quote from: balubeto on October 16, 2018, 08:01:28 PM
Is it possible to access via telnet? If so, what is its listening port?
No, for security reasons that will also not be added in the future but SSH is there if you have enabled it before. By default it listens on port TCP/22 which is the standard port of SSH.
Since I have Windows 7 SP1 64 bit, I have installed Putty 64 bit to access the firewall.
Leaving the default values of Putty, when I try to perform the Login, this message appears (see attachment). How come?
Thanks
Bte
Have a look at the 'key format' in putty.
Should be in the form of:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdQKkkD6v... user@host
If there is more than that, remove it and try again.
Greetings, mark
Quote from: qinohe on October 17, 2018, 04:41:50 PM
Have a look at the 'key format' in putty.
Should be in the form of:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdQKkkD6v... user@host
If there is more than that, remove it and try again.
Greetings, mark
Where can I find the ssh-rsa string so that it can be inserted in the Key field in the Connection ---> SSH ---> Host keys of Putty?
Thanks
Bye
You have to export the public key to the OpenSSH format.
I don't have any idea. I exported a p12 file (see attachment).
Thanks
Bye
You should not generate a certificate. A SSH key is generated on the command line using the following command:
ssh-keygen -t ed25519
If you use putty, you can use the puttygen tool to generate a new key pair.
Quote from: fabian on October 17, 2018, 06:33:45 PM
You should not generate a certificate. A SSH key is generated on the command line using the following command:
ssh-keygen -t ed25519
If you use putty, you can use the puttygen tool to generate a new key pair.
With PuttyGen, I created a copy of keys and then tried to connect with the firewall but it displayed the "Server refused our key"message . How come?
Thanks
Bye
then you have pasted the wrong format.. I don't have putty but I am pretty sure it supports the correct openssh format for public keys.
Being able to act on the OPNsense VGA console, how do I disable the https protocol and enable the http protocol so that I can again access the GUI using the last protocol?
Thanks
Bye
It usually asks if you reconfigure an interface.
Quote from: fabian on October 19, 2018, 06:46:08 PM
It usually asks if you reconfigure an interface.
I'm sorry, how do I reconfigure an interface?
Thanks
Bye
option 2 in the menu.
Thanks to you, I have been able to access the GUI via the http protocol.
I want, however, to use the https protocol, I created again the chain of self-certificates described by your guide.
Now, I attach the Certificates page because I would like you to tell me which button I should click to export this certificate to be able to import it and use it in Chrome.
Thanks
Bye
I don't know how it is called in your language but you should use the export certificate button which does NOT include the private key.
Quote from: fabian on October 21, 2018, 09:05:54 PM
I don't know how it is called in your language but you should use the export certificate button which does NOT include the private key.
In English, what is this button called and where is it?
Thanks
Bye
Hey balubeto, you did not do what is on that wiki page, at least not exactly, I can tell from that picture^^
To prevent things going wrong, remove that chain create the chain(again) following that wiki page by the letter.
If you did that, export ca crt, button is the same name.
Greetings, mark
Also, the reason it's (probably) not working in Chrome/Chromium is because of 'SAN' - Subject Alternative Name'.
Now I would like to see the filled in 'CN -Common Name' to be translated to 'SAN' automatic, but that's not the case - devs?
So, you should translate that to the form exactly. If you did that there is no guaranty from me that it works the way you expect (in Crome).
Change to a different browser if you insist on using self-signed certs., would make it easier on you :D
Greetings, mark
As your guide has not been updated, in attachment, I have summarized the two tables of the Trust in English.
Now, I would like to know if you find something wrong and how I can export the certificate so that Chrome can use it without any problems.
Thanks
Bye
I quote from the wiki
QuoteThe thirth certificate will be a server certificate signed by the intermediate CA we just created. This will also be the last one we create for this chain.
The certificate you have generated is neither a server or a CA.
Greetings, mark
Quote from: qinohe on October 22, 2018, 06:54:11 PM
I quote from the wiki
QuoteThe thirth certificate will be a server certificate signed by the intermediate CA we just created. This will also be the last one we create for this chain.
The certificate you have generated is neither a server or a CA.
Greetings, mark
Sorry, but I only created a self-certificate.
Thanks
Bye
Quote from: balubeto on October 22, 2018, 07:36:49 PM
Sorry, but I only created a self-certificate.
Why on earth you want to do that, what are you trying to accomplish?
If you go down that rabbit hole, be my guest, but I can't help you doing that ;)
Greetings, mark
Quote from: qinohe on October 22, 2018, 08:03:52 PM
Quote from: balubeto on October 22, 2018, 07:36:49 PM
Sorry, but I only created a self-certificate.
Why on earth you want to do that, what are you trying to accomplish?
If you go down that rabbit hole, be my guest, but I can't help you doing that ;)
Greetings, mark
I'm simply trying to export a self-certificate so that I can import it in Chrome to access the firewall using the https protocol.
Since you now have the images of my firewall in English, can you tell me how to proceed?
Thanks
Bye
click the download button "export CA cert" and import it into your trust store (this is specific for your OS)
Quote from: fabian on October 23, 2018, 06:39:15 PM
click the download button "export CA cert" and import it into your trust store (this is specific for your OS)
This button is located in the "System: Trust: Authorities" panel. Right?
Thanks
Bye
yes
I'm sorry that I misunderstood you, I thought you were doing the whole thing without a CA, CRT only, I guess that's clear now.
Greetings, mark
When I create a certificate in the "System: Trust: Certificates" tab, can I put the full name (xxxxx.yyyyyy) of the firewall and its URI (https://xxxxx.yyyyyy) respectively in the "Common Name" and "Type URI" fields?
Thanks
Bye
Yes, though, it only accepts the full URL, like: https://my.domain
Using Chrome for Windows 7 SP1, in which type of certificates archive should I insert my intermediate certificate exported from OPNsense?
Thanks
Bye
See post #4 of this thread.
Greetings, mark
After importing my self-certification in chrome and enabling the HTTPS protocol to access the firewall webGUI, every time I access this via web, Chrome displays the " Privacy error" page before accessing the Login page (see attachments).
In addition, I noticed that, in the address bar, the words "Not secure" and "https" are displayed. How come?
How should I resolve these annoyances?
Thanks
Bye
Since your screenshot looks like Windows 7 - here is some official documentation:
https://docs.microsoft.com/en-us/skype-sdk/sdn/articles/installing-the-trusted-root-certificate
Quote from: fabian on November 02, 2018, 08:52:41 PM
Since your screenshot looks like Windows 7 - here is some official documentation:
https://docs.microsoft.com/en-us/skype-sdk/sdn/articles/installing-the-trusted-root-certificate
I have Windows 7 SP1 64bit.
From OPNsense, should I export the root or intermediate certificate?
Should the steps indicated in your document be done for each account or only by the administrator?
Thanks
Bye
I am awaiting your reply.
Thanks
Bye
I am an Arch Linux user. It it different here.
In my case it would be:
Store in /etc/ca-certificates/trust-source/anchors and call trust extract-compat.