Self-signed CA -> Certificate - Firefox error

[lysemose]

Hi

I tried to create a CA from OPNsense and afterwards a website certificate from that CA.
I assigned it to the web interface of my OPNsense firewall.

But Firefox doesn't like the CA/certificate created stating an error like this

SEC_ERROR_INADEQUATE_CERT_TYPE

I imported the CA into Firefox certificate store without any difference.
If I choose not to trust it for websites within Firefox I can access the web interface again.

Some searching show that, "I confirmed this by generating a new test CA with the the extended usage field excluded, then generating a new SSL Cert The certificate verifies properly now."

Have some of you a workaround or fix?

Thanks

[ArminF]

Help us a bit better understanding your problem.

You create a local CA internally System - Trust - Authorities
Afterwards you created a self signed certificte and here is where i lost you...

You installed it where exactly? On a webserver hosting a website?
Or on your OPNSense which actually has already one.

Also for Server you need to have a server cert. Webserver usually to establish the handshake.
For client cert authentication you would need a client cert.

Also import the local authority cert (there is a p12 option) into your pc maybe

hope this helps
a

[lysemose]

Thanks for your reply.

Yes I created a local CA and issued a server certificate from that CA to my OPNsense firewall, opnsense.domain.local, and assigned the new certificate to the web management interface... yes the one that actually have one self signed certificate from the installation process.

I hope that helps...

Looked/followed through this guide
https://docs.opnsense.org/manual/how-tos/self-signed-chain.html#the-certificate

[ArminF]

Hello lysemose,
you are welcome.

Let me try this today at home and i will report back.

Found this as well: https://superuser.com/questions/1359755/trust-self-signed-cert-in-chrome-macos-10-13
I guess chrome will react the same.

armin

[lysemose]

I can confirm that Chromium acts the same...
I will also try to see which certificate I choose and retry to see if I made a mistake somewhere

Thanks!

[bartjsmit]

Have you looked at Letsencrypt? Its root CA is publicly trusted.

System, Firmware, Plugins, os-acme-client

Bart...

[ArminF]

ok, got it to work. Took a few tries.

Screenshots attached numbered
1 > System - Trust - Authority
Internal Root
Key lenght 4096
Digest SHA512
Lifetime 3640 (10 years)

2 > System - Trust - Certificates
Type Server
Key RSA
Key length 4096
Digest SHA512
Lifetime 825

3 >
Set DNS alternative Name DNS and IP


Then exported the LocalCA Cert (System - Trust - Authorities)
As i am on mac i had to set the system default to allow and trust always

Replace the Server Cert on System - Settings - Administration
Reloaded

Result > after reload chrome and safari shows valid

Maybe this helps!
Good Luck
A

[ArminF]

Have you looked at Letsencrypt? Its root CA is publicly trusted.

System, Firmware, Plugins, os-acme-client

Bart...

Thank you! Will take a look
A

[lysemose]

Hi ArminF

Thanks for your detailed reply...
I finally figured it out... somehow (fat fingered, not paying attention) I had chosen a client certificate in stead of server certificate which of cause doesn't work with a website!

But now I got a nice green bar in the certificate details under Firefox, just like I would have expected.

Thanks again for taking your time to reply!

And thanks to bartjsmit for the heads up on Letsencrypt!

[ArminF]

Aloha,

you are welcome.

Interesting that you had to choose client cert.
Good that its working now.

"all ways lead to rome" we say here.

Cheers and happy config
armin