Self-signed CA -> Certificate

Archive > 20.1 Legacy Series

Self-signed CA -> Certificate - Firefox error

(1/2) > >>

lysemose:
Hi

I tried to create a CA from OPNsense and afterwards a website certificate from that CA.
I assigned it to the web interface of my OPNsense firewall.

But Firefox doesn't like the CA/certificate created stating an error like this

SEC_ERROR_INADEQUATE_CERT_TYPE

I imported the CA into Firefox certificate store without any difference.
If I choose not to trust it for websites within Firefox I can access the web interface again.

Some searching show that, "I confirmed this by generating a new test CA with the the extended usage field excluded, then generating a new SSL Cert The certificate verifies properly now."

Have some of you a workaround or fix?

Thanks

ArminF:
Help us a bit better understanding your problem.

You create a local CA internally System - Trust - Authorities
Afterwards you created a self signed certificte and here is where i lost you...

You installed it where exactly? On a webserver hosting a website?
Or on your OPNSense which actually has already one.

Also for Server you need to have a server cert. Webserver usually to establish the handshake.
For client cert authentication you would need a client cert.

Also import the local authority cert (there is a p12 option) into your pc maybe

hope this helps
a

lysemose:
Thanks for your reply.

Yes I created a local CA and issued a server certificate from that CA to my OPNsense firewall, opnsense.domain.local, and assigned the new certificate to the web management interface... yes the one that actually have one self signed certificate from the installation process.

I hope that helps...

Looked/followed through this guide
https://docs.opnsense.org/manual/how-tos/self-signed-chain.html#the-certificate

ArminF:
Hello lysemose,
you are welcome.

Let me try this today at home and i will report back.

Found this as well: https://superuser.com/questions/1359755/trust-self-signed-cert-in-chrome-macos-10-13
I guess chrome will react the same.

armin

lysemose:
I can confirm that Chromium acts the same...
I will also try to see which certificate I choose and retry to see if I made a mistake somewhere

Thanks!

Navigation

[0] Message Index

[#] Next page

Go to full version