Messages

[After more testing, steps 1-5 can be more easily accomplished by just creating an Int-CA signed with a Root-CA in Authorities, as expected.]

So... This long walk was educational, but unnecessary. After more testing, steps 1-5 can be more easily accomplished by just creating an Int-CA signed with a Root-CA in Authorities, as expected.

The underlying issue is that Intermediate CA certificates need to be installed server-side. Help guides suggest the installation method may differ depending on the host software, but both Nginx (https://nginx.org/en/docs/http/configuring_https_servers.html) and Apache (https://access.redhat.com/solutions/43575) documentation make chained certificates sound like the standard. OPNSense doesn't print these automatically from the download button - maybe functionality lost in the missing Authorities method? - so admins have to know to do it manually.

Hi all - got a solution to my own situation which requires a bit of disco. Tested for Cockpit on Ubuntu 24.04
(Note: This is a workaround. There is still a discrepancy between OPNSense docs and this method, as I noted above.)

In OPNSense:
1. System > Trust > Authorities: Create an internal Domain Root-CA
2. ... > Certificates: Create a certificate with the following specs:
Method: Internal
Description: Domain Int-CA
Type: Certificate Authority
Issuer: Domain Root-CA
Save.
3. Edit this new Domain Int-CA certificate. Copy the Certificate Data and Private Key Data to your clipboard, or a text document
4. ... > Authorities: Create a certificate with Method: Import existing
5. Paste in the Certificate Data and Private Key Data. Save.
6. ... > Certificates: Create a server certificate issued by Domain Int-CA

Cockpit's documentation (https://cockpit-project.org/guide/latest/https) specifies that

The file should contain one or more OpenSSL style BEGIN CERTIFICATE blocks for the server certificate and the intermediate certificate authorities.

The private key must be contained in a separate file with the same name as the certificate, but with a .key suffix instead. The key must not be encrypted.

So I just did it by hand...

7. Download server's certificate.pem (I had to rename to server.crt for Cockpit) \
Download server's key.pem (I renamed to server.key) \
Download Domain Int-CA's certificate.pem (renamed to Domain-intCA.crt)
8. In terminal:

Code Select Expand

cat Domain-intCA.crt >> server.crt
## This adds the Internal Certificate's BEGIN CERTIFICATE block to the server.crt's chain, allowing it to be verified
9. Transfer server.crt and server.key to the server and place in /etc/cockpit/ws-certs.d/ and then systemctl restart cockpit

I can now connect to server.domain with an SSL verified connection in Firefox after importing only my Domain Root-CA certificate.

Hope this helps someone!

Thanks so much for your reply cookiemonster. I followed your steps and can confirm that the Int-CA is readable from the server cert's chain when signing this way. However, I'm unable to export a private key for this cert and so can't test that it works against the root-CA installed in my browser. I'll keep working with it and try to shake out a usable test case

Hi Meg - I'm also having this issue. The documentation here: (https://docs.opnsense.org/manual/how-tos/self-signed-chain.html) does not match the UI in 24.7. The only method options in Trust/Authorities is "Import," "Create Internal," and "OCSP."
There is a method option in Trust/Certificates called "Certificate Authority," but I wasn't actually able to use it to sign other certs.

I tried signing one CA with another CA to use as an Intermediate, but I receive an "UNKNOWN_ISSUER" error, even when the Root-CA is trusted on-browser. The chain of trust ends at the Intermediate CA -- it's the only BEGIN CERTIFICATE block on the cert.