[lug] Fedora/Apache/Firefox: Self-signed Intranet Certs Possible?

Lee Woodworth blug-mail at duboulder.com
Mon Feb 27 13:25:27 MST 2017

Hmm, seems to me there are too many certificate authorities. An alternative
to a private CA is a Let's Encrypt cert. It does require setting up automation
to refresh the certificate(s).

This is a configuration that I have used for the testing versions of a site
(except for the client cert parts, still waiting for the mythical
free time genie to show up).

You only need a client cert if you are trying to do mutual authentication
(which also requires additional server configuration).
If not, then skip the client cert parts below.

On the PKI system:
   generate CA key & CA cert
   generate server cert
       cat server-cert.pem CA-cert.pem > server-cert-bundle.pem
   generate client cert (different kind of CSR than for a server)
       cat client-cert.pem CA-cert.pem > client-cert-bundle.pem
       (this bundle might not be needed, TBD when I actually get to it)

On the server:
   install server-cert-bundle.pem & private key
   configure http server (or SNI vhost) to use the
       the installed cert bundle
   if using a client cert ensure that the server config will
       use the private CA cert as a root certificate

On the client:
   Adding server cert to the browser's trusted list for firefox (this was ~2 years ago):
       navigate to a secure page on the server, when ff gives the security
       warning message, navigate to see the details and add a permanent
       exception for the server.
   On ff (50.1.0), preferences >> advanced >> certificates >>
       view certificates >> servers
       should have the private ca and the server in the list

On the client, client cert install (untested):
   copy client-cert-bundle.pem & client private key to a protected
   dir the browser account owns (chmod 500 or 600, might also need
   the files to be 400, browser account needs to own the files)

   ff 50.1.0: preferences >> advanced >> certificates >>
       view certificates >> your certificates >> import
   if there is an issue with import about the private key,
       cat client-cert-bundle.pem private-key.pem > client-cert-and-key.pem
       (chmod 400)
   then import client-cert-and-key.pem.


On 02/26/2017 02:20 PM, stimits at comcast.net wrote:
> This is the work flow summary which does not allow authentication:
> server
>   create key
>     create self-signed CA
>       create server cert
>         deploy cert to server
>         add the CA to server config to use custom CA for auth
> localhost
>   create key
>     create self-signed CA
>       create client cert
>         create cert sign request, send to server
> server
>   sign firefox csr, send cert back to firefox
>   (on localhost export this result to pkcs12, import into firefox)
>     update the self-signed cert authority into apache
>       restart apache
> I'm perhaps just signing the wrong part of this, or perhaps propagating my CA change to Apache was done wrong...I don't know. Firefox can import this dual-signed cert, but the custom CA added to Apache does not recognize this cert via firefox. Do I need to change my procedure, or is self-signing simply a futile effort (perhaps it's like that old IBM commercial, and I just need more pixie dust)?
> Thanks!
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety

More information about the LUG mailing list