Auto-certificate and Chrome

[balubeto]

Hi



I have a LAN network managed by a hardware firewall that has OPNsense 17.8.4 64 bit.


To access the firewall, I use Chrome 69.x.x.x 64 bit.


I would like to access this firewall using the https protocol.


So, with OPNsense, how do I create a valid auto-certificate, export it and import it into Chrome?


Thanks


Bye

[fabian]

Chrome usually uses the system certificate store so you just have to import a custom CA from OPNsense into it and then sign a new certificate signed by it to the web interface.

[qinohe]

Hi balubeto, there is a howto for creating self-signed chains, exporting and importing them.

Should give you some clues.

https://wiki.opnsense.org/manual/how-tos/self-signed-chain.html

Greetings, mark

[balubeto]

Hi balubeto, there is a howto for creating self-signed chains, exporting and importing them.

Should give you some clues.

https://wiki.opnsense.org/manual/how-tos/self-signed-chain.html

Greetings, mark

Once I have created and exported a self-certificate, how do I import it in Chrome?

Thanks

Bye

[qinohe]

Go to; Settings>Advanced>Privacy and Security>Manage Certificates>IMPORT

Once done restart browser -> ready   

Greetings, mark

edit:btw.  you can also import it in your OS/Distro certificate store, though you need to figure out how your OS/distro handles that.

[balubeto]

I followed your guide, I imported the OPNsense+self-certificate.p12 file, I activated the https protocol, I imported this certificate in Chrome without any problems and I restarted it.

At this point, every time I try to access its Login web page, Chrome doesn't let me access it because it tells me that the certificate is not valid. How come?

Now, how do I regain the firewall control?

Thanks

Bye

[fabian]

SSH / Serial -> Menu -> Restore Configuration

[qinohe]

SSH / Serial -> Menu -> Restore Configuration

Well, use that as a second option 

Are you willing to install Firefox, and try the same, import the certificate into it's store, I remember people having trouble importing CRT's in Chrome/Chromium. Meaning your still bugged by that message:'invalid authority', at least something like that.

Unless you added it to the distro/OS certificate store, remove it and create the CRT. chain over new, there is something wrong with it's configuration.

Greetings, mark

[balubeto]

SSH / Serial -> Menu -> Restore Configuration

Is it possible to access via telnet? If so, what is its listening port?

[fabian]

Is it possible to access via telnet? If so, what is its listening port?

No, for security reasons that will also not be added in the future but SSH is there if you have enabled it before. By default it listens on port TCP/22 which is the standard port of SSH.

[balubeto]

Since I have Windows 7 SP1 64 bit, I have installed Putty 64 bit to access the firewall.


Leaving the default values of Putty, when I try to perform the Login, this message appears (see attachment). How come?


Thanks


Bte

[qinohe]

Have a look at the 'key format' in putty.

Should be in the form of:

Code: [Select]

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdQKkkD6v... user@host
If there is more than that, remove it and try again.

Greetings, mark

[balubeto]

Have a look at the 'key format' in putty.

Should be in the form of:

Code: [Select]

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdQKkkD6v... user@host
If there is more than that, remove it and try again.

Greetings, mark

Where can I find the ssh-rsa string so that it can be inserted in the Key field in the Connection ---> SSH ---> Host keys of Putty?

Thanks

Bye

[fabian]

You have to export the public key to the OpenSSH format.

[balubeto]

I don't have any idea. I exported a p12 file (see attachment).


Thanks


Bye