I wanted to generate a valid certificate for localhost in Mac and 192.168.1.1 in Windows virtual machine. I followed this thread in Mac:
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = localhost
[v3_req]
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
subjectAltName = DNS:localhost,IP:192.168.1.1,IP:127.0.0.1
And the command:
openssl req -newkey rsa:2048 -x509 -nodes -keyout key.pem -new -out cert.pem -config req.cnf -sha256 -days 3650
Then, I exported the certificate from Chrome and trusted it in Keychain Access in Mac and certmgr in Windows. It worked well. And I believe that the certificate was also secure without red warning.
However, today, I realize that, it shows a "Not Secure" red warning in Chrome, then I tried in different browsers, in Mac and Windows virtual machine. It returns different results as below.
Does anyone know how to generate a secure & valid self signed certificate for localhost in all the browsers in Mac and Windows virtual machine?
Not Secure with Chrome Version 109.0.5414.119 (Official Build) (x86_64) in Mac:
Not Secure with Firefox Version 109.0.1518.70 (Official build) (64-bit) in Windows virtual machine:
Not Secure with Firefox 109.0 (64-bit) in Mac
Secure with Edge Version 109.0.1518.70 (Official build) (64-bit) in Windows virtual machine:
Secure with Chrome Version 109.0.5414.120 (Official Build) (64-bit) in Windows virtual machine:
I realize that it is because my frontend calls a backend https://localhost:3000 whose certificate is not valid.
I then use the same certificate in https://localhost:3000 as in https://localhost:8000. There is no Not Secure red flag anymore.
Related
I have set up a LAMP server with phpmyadmin. I have apache2 configured (through the Headers mod) to only allow SSL connections, but this is keeping me from accessing phpmyadmin on the LAN. When I setup a subdomain and LetsEncrypt cert I have no problem accessing phpmyadmin (phpmyadmin.example.com), but if I try to access it from the LAN or on the server itself, I can't do so securely, so I can't log in.
Well, on the actual server I can just jam https://localhost/phpmyadmin into the browser and accept the insecure connection warning, but that doesn't work when using a different computer on the LAN (https://server-name/phpmyadmin). I'm not crazy about having phpmyadmin accessible to the outside, even with password protection.
Is there a way to establish a secure connection on a LAN, or do I need some way to exempt the /phpmyadmin folder from the SSL requirement? Can this be done for LAN connections only?
You have to access the URL using the same hostname which was provided as CN or SAN during certificate generation.
Since you want to access the application locally using localhost and any CA will not sign your certificate which has CN value localhost, you need to live with slef sign certificate generated against localhost and import to your keystore.
Command to generate self-signed certificate against localhost:
openssl req -x509 -out localhost.crt -keyout localhost.key \
-newkey rsa:2048 -nodes -sha256 \
-subj '/CN=localhost' -extensions EXT -config <( \
printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
Here is an article on the same.
I have been given a .pfx file and a pass key. How do I install ssl certificate on my ubuntu server through cli. The server is nginx.
SSL certificate should be installed on your webserver directly. Please edit your question with a server name you have running on Ubuntu instance (e.g. Apache, Nginx, etc.) The further flow will depend on your webserver specifically.
As for SSL certificate file you have, that is a file in PKCS#12 standard. It contains your end-entity certificate in pair with Certification Authority bundle along with private key. As was aforementioned, SSL installation flow depends on a particular webserver. You will need to convert the certificate in the PEM format (3 separate files: end-entity certificate, CA bundle, and the private key) for SSL installation on most common servers like Apache or Nginx. PKCS#12 file can be converted to PEM via openssl according to this answer.
If you want to make https calls, do install openssl on ubuntu machine and create a certificate using following commands (use sudo before every command, if required)
openssl genrsa -out key.pem
openssl req -new -key key.pem -out csr.pem
openssl x509 -req -days 9999 -in csr.pem -signkey key.pem -out cert.pem
rm csr.pem
To check https is working or not, use following code
const https = require('https');
const fs = require('fs');
const options = {
key: fs.readFileSync('key.pem'),
cert: fs.readFileSync('cert.pem')
};
https.createServer(options, function (req, res) {
res.writeHead(200);
res.end("hello world\n");
}).listen(8000);
Test it on https://localhost:8000 or https://domain_name:8000
This question already has an answer here:
How can I generate a self-signed certificate with SubjectAltName using OpenSSL? [closed]
(1 answer)
Closed 5 years ago.
As of latest Chrome 60+, if there is no SAN, it throws ERROR on HTTPS pages. OpenSSL command line doesn't add these extension.
Nevermind, figured out myself.
OpenSSL CLI allows -subj flag to set up information about the Certificate Authority (CA), but adding the Subject Alternative Names (SAN) cannot be done using the command line. So I had to resort to call -config followed by the file I want to load as simple configuration. For creating Self-Signed Certificates, this should suffice, but not for production:
# ./config/tiny_openssl.conf
[CA_default]
copy_extensions = copy
[req]
default_bits = 4096
prompt = no
default_md = sha256
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
[req_distinguished_name]
C = US
ST = Washington
L = Seattle
O = My Company
OU = IT Department
emailAddress = it#mycompany.com
CN = mycompany.com
[v3_ca]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = #alternate_names
[alternate_names]
DNS.1 = localhost
DNS.2 = *.localhost
DNS.3 = app.localhost
# ...
The [alternate_names] values must match with the url of the site (or sites) served under SSL by the generated certificate. Something like localhost or app.localhost can work. Then, we fire OpenSSL using this config.
$ openssl req -x509 -newkey rsa:4096 -sha256 -utf8 -days 365 -nodes \
-config ./config/tiny_openssl.conf \
-keyout ./certificates/private.key \
-out ./certificates/ssl/certificate.crt
Added this .crt file in Windows 10 as a Trusted Root Certificate Authorities, restarted Chrome and the Web Server, and voilá.
If you are worried for performance in the HTTP transaction, you can change the rsa to 2048 bits.
This may work only for internal testing between a server and a browser. If you need a more complete and reliable solution with 100% valid SSL Certificates, you should make a CA, a CRS and then sign the CRS with that CA, that will come out a a valid self-signed certificate:
https://stackoverflow.com/a/21494483/647490
I have Tomcat-Apache set up to serve my application using 443(Apache).
Configured Apache for root certificate and key for enabling HTTPS access for my application.
On server i had to install this certificate to user personal store for HTTPS access.
Problem is if client wants to access he needs to manually install the certificate first. These are self signed certificates generated via openSSL.
openssl req -new -x509 -days 1024 -key ca.key -out ca.crt -config openssl.cnf
Is there a way to configure Apache, or install certificate in another store for client to trigger auto installation of certificate while accessing the site?
I deployed the IBM app center on IBM worklight server 6.1 and enabled the SSL by generating SSL certificate using Liberty core's common utility and updated the server.xml according to that.
When I am accessing the link https://< serverIP >:< sslPort >/appcenterconsole/inst.html
It shows SSL error SSL certificate not matches the server URL this is my first problem.
On chrome it shows an option to proceed anyway after that I am able to access the page which has IBM App Center installer application using my username and password.
But when I click on the link of the application to download and install the app it shows message that Cannot connect to < serverIP > this is my second problem
You generated a self-signed certificate. Per documentation, IBM Application Center does not support self-signed certificates. You need to purchase an official SSL certificate from a certificate authority. This limitation comes actually from iOS.
There is a complex workaround, but I recommend this only for testing. The workaround is not really suitable for production:
Generate a special self-signed certificate with CA flag set to true. This makes the certificate also a certificate authority. Note: Most instructions on the web are only valid for self-signed certificates with CA flag set to false. If you use openssl, use the options -reqexts v3_req -extensions v3_ca
Import this SSL certificate into your device. See here and in its subsections for details. This should also work for 6.1 even though the documentation link is for 6.2
Install this certificate for your webserver and proceed as usual.
You dont need to purchase nothing, you just need to create a CA certificate with an apple mac, install it to the device and u will be allowed to download the apps, easy peasy
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out cerficate.crt -reqexts v3_req -extensions v3_ca
put your domain in the name field when required.
then
cat cerficate.crt privateKey.key > server.pem
then
openssl pkcs12 -export -in certificate.crt -inkey server.pem -out server.p12 -passout pass:passServerP12 -passin pass:passServer
Then to try it out:
openssl s_client -connect hostname:port
Hope i could help ;D