[lug] Fedora/Apache/Firefox: Self-signed Intranet Certs Possible?

stimits at comcast.net stimits at comcast.net
Sun Feb 26 14:20:01 MST 2017

I have the need to install a self-signed SSL cert on my local firefox (under Fedora) to use as client authentication going to a remote https web server (Fedora/Apache, also self-signed). I have tried several ways to add my self-signed cert to my own certificate authority on the server, but cannot seem to get Apache (via mod_ssl) to consider the cert valid...my signing procedure is apparently flawed. Can self-signed certs on firefox be used for authentication on a remote Apache server which has certificate authority customizations? Am I trying to do something not possible?

I'm able to create a self-signed cert for the web server from that server by starting with creation of a self-signed certificate authority. I am able to sign certificate requests in general using this mechanism from the server end. Viewing the server certificate from firefox shows the Apache server cert is installed as expected. The configuration lines for mod_ssl are pointing at my custom certificate authority as well, and the server can restart without error, so I know nothing of "extreme" error is going on.

On the firefox side I'm able to create a self-signed cert on my local host, convert it to PCKS12, and and use this in firefox. If I try to create a cert from the server's signing mechanism, rather than locally, firefox refuses to use the cert (firefox complains about not owning the key that generated the cert...firefox will only import certs generated locally...the cert cannot be originally generated from the custom CA on the server). Until I create a certificate signing request from my local machine based on the firefox key and get it signed by the server certificate authority I would not expect authentication to work...unfortunately I've tried many different combinations and can never get Apache to accept my self-signed cert even with the CSR and re-import of the cert into firefox. My steps in generating the cert request and re-import into firefox must be flawed, or else this just isn't allowed at all.
This is the work flow summary which does not allow authentication:
  create key
    create self-signed CA
      create server cert
        deploy cert to server
        add the CA to server config to use custom CA for auth
  create key
    create self-signed CA
      create client cert
        create cert sign request, send to server
  sign firefox csr, send cert back to firefox
  (on localhost export this result to pkcs12, import into firefox)
    update the self-signed cert authority into apache
      restart apache
I'm perhaps just signing the wrong part of this, or perhaps propagating my CA change to Apache was done wrong...I don't know. Firefox can import this dual-signed cert, but the custom CA added to Apache does not recognize this cert via firefox. Do I need to change my procedure, or is self-signing simply a futile effort (perhaps it's like that old IBM commercial, and I just need more pixie dust)?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20170226/e5c371a8/attachment.html>

More information about the LUG mailing list