Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
Self signing and CA's - anyone make this work?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Self signing and CA's - anyone make this work? (Read 2917 times)
tre4bax
Full Member
Posts: 151
Karma: 4
Self signing and CA's - anyone make this work?
«
on:
August 26, 2019, 10:30:06 pm »
Using the Let'sEncrypt pluggin I have happily provided a certificate for my NAS that works well, with one little exception. Let'sEncryp only allows a short renewal and this means I therefore have to keep updating my certificate. Surprisingly there seems no good universal way to achieve this renewal of certificates so I thought I would create my own CA and issue my own certificates to use internally.
followed the instructions and all that works. Issued a certificate, great. Can I get a browser to see it is allowable? Not a chance. They show it is a valid certificate, however they refuse to have the padlock in place.
I've added the CA to the certificate authorities and the Intermediate to the intermediate version. Still no dice. Has anyone anywhere managed to get this to work?
Logged
hbc
Hero Member
Posts: 501
Karma: 47
Re: Self signing and CA's - anyone make this work?
«
Reply #1 on:
August 27, 2019, 04:46:54 am »
Where did you add it? Which client OS, which browser?
For Windows you usually add it to users cert store.
Run
mmc.exe
, load certificate snap-in for current user and and certificates to specific sections. This can also be done via group policies or you need to provide oh in an ad domain.
Some.browsers use their own cert store, then you have to add it directly to it.
Logged
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
tre4bax
Full Member
Posts: 151
Karma: 4
Re: Self signing and CA's - anyone make this work?
«
Reply #2 on:
August 27, 2019, 10:20:19 am »
I added the certificate into the browser. I'm using the new version of Edge, which is really kind of Chrome, though I have tried it in chrome too with no success.
I am pretty sure that the Manage certificates part of the new Edge just access the underlying store as the certificates listed in the snap in look the same. Can't be totally sure right now though as I am looking at it through my work computer so will try on my home computer tonight. If only you could get longer expiry times on Let'sEncrypt certificates...
Logged
hbc
Hero Member
Posts: 501
Karma: 47
Re: Self signing and CA's - anyone make this work?
«
Reply #3 on:
August 27, 2019, 11:18:30 am »
Let's encrypt has this acme client that handles certificate renewal automatically. Usually you just have to set it up and do not have to care for renewals any more.
Logged
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
tre4bax
Full Member
Posts: 151
Karma: 4
Re: Self signing and CA's - anyone make this work?
«
Reply #4 on:
August 27, 2019, 12:05:13 pm »
I use the ACME script to do this on the box that generates the certificates (opnsense). The challenge is getting the certificate to all of the other boxes that use it. This is a pretty manual job.
Most of the boxes could separately be setup with ACME, the challenge of this is all of the other boxes are within my local network and to let Let'sEncrypt get to them I would have to have multiple rules etc to deliver port 80 to the boxes and it all feels a bit complex when all I need is for the right certificate to be in the right places on each box. I guess I might have to manually adapt each box.
Logged
hbc
Hero Member
Posts: 501
Karma: 47
Re: Self signing and CA's - anyone make this work?
«
Reply #5 on:
August 27, 2019, 02:03:02 pm »
Why a centralized acme box and not running the acme client on each box itself? Or if stripped down linux boxes with missing dependencies, then just use secure copy for distribution?
If you use an own CA and have to trust these certs by importing cert chain, then you could just use the built-in/generated self-signed certs that those boxes usually provide. No much difference. Import once a 2 years valid root/intermedia ca on each client pc or just trust these 2years self-signed certs. Make no difference.
Logged
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
tre4bax
Full Member
Posts: 151
Karma: 4
Re: Self signing and CA's - anyone make this work?
«
Reply #6 on:
August 27, 2019, 02:30:19 pm »
I use the centralised opnsense box as it is the only one directly attached to the internet. When Let'sEncrypt certificates are created they need to access port 80 on the boxes and this breaks the certificate creation.
Port 80 on the router is used in HAProxy to reroute certain services I want available outside so that I can access with URL and have HAProxy reroute them internally to the right service and port number. I think it would be tricky to have 80 routed through for LE and still have the HAProxy stuff work too.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
Self signing and CA's - anyone make this work?