OpenSSL self signed certificate entirely blocked - ssl

I create self-signed certificate now my problem is Firefox,Safari and even IE will not allow me at all to visit my own page. I can't even click on ignore or similar. It will just block me from visiting mypage.io.
MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT certificate is not valid for 81.33.34.123 (fake ip)
My openssl certificate key and crt creation was like this:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.crt
It prompts me to enter some more detail, and I think the problem is where it asks me about "Common Name (e.g. server FQDN or YOUR name)". I answered with www.mypage.io .
It's an unfinished project so I will not buy a certificate yet.

The trust is missing!
Please get a real certificate. You do net even have to buy on: https://letsencrypt.org/ provides them for free.
If you (for whatever reason) stick with your certificate:
IE: Import it to the trusted root certificate authority store (certlm.msc).
Mozilla: Look here
Alternatively please find information on how to generate your own trust chain with open SSL here: How to make browser trust localhost SSL certificate?

Related

Don't Ask question when generate SSL certificate

Sometimes I test an SSL website on my local machine. I was tired to use a self-signed certificate and add them to my KeyChain on Mac (Browser or other OS). Moreover, Chrome always complains about them. Moreover, this approach was a bit different from the one used in production.
I found this article very useful where you create once your own CA root certificate, add it once to your keychain and then you use the CA private key to sign thousands of SSL test certificate for my local websites.
https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
The tutorial works great but I would like to automate it. For the CA root certificate it was easy, I simply used the option -subj like this:
openssl req -x509 -new -nodes -key /certs/myCA.key -sha256 -days 1825 -subj "/C=$CA_COUNTRY/ST=$CA_STATE/L=$CA_CITY/O=$CA_ORGANIZATION/CN=$CA_COMMON_NAME" -out /certs/myCA2.pem
where the environment variable (CA_COUNTRY, CA_STATE, CA_CITY, CA_ORGANIZATION, CA_COMMON_NAME) are read from an external file.
However, when I tried to replicate the same thing for the website certificate I wasn't able to get the same result. The command is this:
openssl x509 -req -in dev.deliciousbrains.com.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out dev.deliciousbrains.com.crt -days 825 -sha256 -extfile dev.deliciousbrains.com.ext
It seems that the -subj option doesn't work. Is there a way to pass the info above to this command and avoid interactive questions?
The command you show openssl x509 -req -CA/-CAkey ... does not ask any questions except the key password if there is one (which if you followed the instructions at the linked page there is). It is the preceding command to create the CSR openssl req -new that prompts for the subject name, and for that (like the command for creating the CA cert which is also req but with -x509 -- note -x509 is not the same as x509) you can use -subj. The statement on that page that "your answers don’t matter" isn't quite correct; it is true that when you use SubjectAlternativeName in the leaf cert, as that page advises/directs, the value of Subject is ignored for (at least) HTTPS server identification, but it must (still) be different from the name used for the CA to allow certificate validation to work. Standards allow the Subject name in a leaf cert to be empty when SAN is used (and empty is always different from nonempty and a nonempty name is required in the CA cert) but OpenSSL doesn't handle that case.

Page is working but showing "Not Secure" sign on browser (configured with Traefik v2 using self-signed cert)

I apologize if this is a silly rookie question, I'm not really experience in dealing with SSL / https so please help me out.
I have docker swarm setup and using Traefik to handle all the HTTPS services. when I first load the page (take grafana page for example), there is a warning page and I click "Advanced" and "Proceed (accept risk)", then the page display and working just fine, the only problem is the "Not Secure" sign showing on browser.
A few things could be contributing to this:
Self-created CA and self-signed cert: I'm at development stage so I created my own CA and signed the cert using openssl, and use this cert in Traefik dynamic configuration.
Command to generate CA:
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca.pem
Command to generate self-signed cert:
openssl req -newkey rsa:2048 -days 365 -nodes -keyout key.pem -out req.pem
openssl x509 -req -in req.pem -days 365 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out cert.pem
See attached screenshot for the errors of the certs: "Subject Alternative Name missing" & "This site is missing a valid, trusted certificate (net::ERR_CERT_AUTHORITY_INVALID)."
Chrome Dev Tool Certificate Error
Traefik configuration: Not using Let's Encrypt since I don't have an account, so using my own self-signed cert. I don't think this is the issue because I can see the page is using the cert I provided. But if anyone has similar experience with Traefik v2 maybe can give me some pointer if there is anything I set wrong?
Dynamic configuration file that declares the certs:
tls:
stores:
default:
defaultCertificate:
certFile: configuration/cert.pem
keyFile: configuration/key.pem
Question:
Is missing SAN a really important factor that will causes my page to be not secure? If yes, how can I add SAN while creating cert with openssl?
I understand that 2nd error "ERR_CERT_AUTHORITY_INVALID" means browser doesn't recognize the cert's validity. Does that mean I have to install my CA? Where and how to install it? Is it on docker swarm's manager node (this is where Traefik service and the certs at), or is it on any client's machine that trying to access the page?

How to generate a self-signed certificate that does not trigger warnings in browsers?

I am generating a simple self-signed certificate via a simple PowerShell script leveraging openssl and then use the pfx certificate in a simple ASP.NET Core 2.0 application for enabling HTTPS)
function New-SelfSignedCertificate([string] $BaseName = 'localhost', $CommonName = 'localhost', [UInt16] $DayCount, [string] $Pass = 'somepassword')
{
&openssl req -new -x509 -newkey rsa:2048 -keyout "$BaseName.key" -out "$BaseName.cer" -days "$DayCount" -subj /CN="$CommonName" -passout "pass:$Pass"
&openssl pkcs12 -export -password "pass:$Pass" -passin "pass:$Pass" -out "$BaseName.pfx" -inkey "$BaseName.key" -in "$BaseName.cer"
Remove-Item -Path "$BaseName.key"
Remove-Item -Path "$BaseName.cer"
Remove-Item -Path '.rnd'
}
The problem of my certificate is that it triggers a lot of warnings on every browser: Chrome, Opera, Firefox (e.g. SEC_ERROR_UNKNOWN_ISSUER), IE11 (e.g. DLG_FLAGS_INVALID_CA) and Edge (DLG_FLAGS_INVALID_CA and DLG_FLAGS_SEC_CERT_CN_INVALID), is there anything I can do at the generation to avoid those warnings? (i.e. besides adding manually the certificate to the Trusted Root category)
Seems the issuer cannot be identified, I mean how can the certificate can be judged in way that the browser would say without a user intervention: "ok you can go to the Trusted Root Certificate Authorities."? (i.e. looking for convenience during development stage).
is there anything I can do at the generation to avoid those warnings? (i.e. besides adding manually the certificate to the Trusted Root category)
Either you don't understand the concept behind trusting a certificate or I don't understand your problem. The main idea behind the certificate validation is that the browser will detect if some hacker is diverting or intercepting your connection in order to impersonate some trusted site or to sniff sensitive (encrypted) data during a man in the middle attack.
If anybody could automatically add a CA or a certificate as trusted to the browser, i.e. without any notice to the user, then anybody could create a certificate for an arbitrary web site (like paypal.com, google.com..) and use this inside such an attack without the browser being able to detect the attack.
I mean how can the certificate can be judged in way that the browser would say without a user intervention: "ok you can go to the Trusted Root Certificate Authorities."?
This can not be set in any way by the certificate itself. Only the user or administrator or the developer of the system/browser can decide if a new CA should be considered trusted.

Wakanda SSL: Use a stronger certificate hash function than SHA-1?

Following the Wakanda SSL Documentation, I've set up a self-signed certificate to test before I engage a certificate authority. However, Firefox lets me know that my webserver is using a SHA-1 certificate (below), which is undesirable- I want at least SHA-256.
Is there a way to control this; do I have any options here?
Wakanda doesn't actually provide a certificate.
Wakanda uses the certificate you provide.
All you need to do is get a new certificate.
You can take your existing CSR to a certificate authority and purchase a signed certificate, and it will be SHA256. You can even use https://www.startssl.com and get a signed SHA256 certificate for free.
If you want to go self signed then just make sure to use the -sha256 parameter like this:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:1024 -keyout key.pem -out cert.pem

Not able to download and Install IBM installer application using an iPAD( iOS 7.1)

I deployed the IBM app center on IBM worklight server 6.1 and enabled the SSL by generating SSL certificate using Liberty core's common utility and updated the server.xml according to that.
When I am accessing the link https://< serverIP >:< sslPort >/appcenterconsole/inst.html
It shows SSL error SSL certificate not matches the server URL this is my first problem.
On chrome it shows an option to proceed anyway after that I am able to access the page which has IBM App Center installer application using my username and password.
But when I click on the link of the application to download and install the app it shows message that Cannot connect to < serverIP > this is my second problem
You generated a self-signed certificate. Per documentation, IBM Application Center does not support self-signed certificates. You need to purchase an official SSL certificate from a certificate authority. This limitation comes actually from iOS.
There is a complex workaround, but I recommend this only for testing. The workaround is not really suitable for production:
Generate a special self-signed certificate with CA flag set to true. This makes the certificate also a certificate authority. Note: Most instructions on the web are only valid for self-signed certificates with CA flag set to false. If you use openssl, use the options -reqexts v3_req -extensions v3_ca
Import this SSL certificate into your device. See here and in its subsections for details. This should also work for 6.1 even though the documentation link is for 6.2
Install this certificate for your webserver and proceed as usual.
You dont need to purchase nothing, you just need to create a CA certificate with an apple mac, install it to the device and u will be allowed to download the apps, easy peasy
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out cerficate.crt -reqexts v3_req -extensions v3_ca
put your domain in the name field when required.
then
cat cerficate.crt privateKey.key > server.pem
then
openssl pkcs12 -export -in certificate.crt -inkey server.pem -out server.p12 -passout pass:passServerP12 -passin pass:passServer
Then to try it out:
openssl s_client -connect hostname:port
Hope i could help ;D