I simulate a CA on a centos7 host(azcn-gs1-nginx2), and use the CA to sign a certificate for a server(azcn-gs1-nginx1).
Below are what I do:
On CA azcn-gs1-nginx1, generate key
cd /etc/pki/CA/private/
openssl genrsa -aes128 -out testCA.key 2048
Generate CA certificate
openssl req -new -x509 -days 1825 -key /etc/pki/CA/private/testCA.key -out /etc/pki/CA/certs/testCA.crt
On the server azcn-gs1-nginx2, generate private key and certificate sign request.
openssl genrsa -out /etc/pki/tls/private/newServer.key 1024
openssl req -new -key /etc/pki/tls/private/newServer.key -out /etc/pki/tls/newServer.csr
Copy newServer.csr to CA host for signing.
scp /etc/pki/tls/newServer.csr root#azcn-gs1-nginx2:~/newServer.csr
On CA host, sign the newServer.csr, and copy back the newServer.crt
to server azcn-gs1-nginx2.
openssl x509 -req -in ./newServer.csr -CA /etc/pki/CA/certs/testCA.crt -CAkey /etc/pki/CA/private/testCA.key -CAcreateserial -out newServer.crt -days 1461
scp newServer.crt root#azcn-gs1-nginx2:/etc/pki/tls/certs/newServer.crt
Server azcn-gs1-nginx2 is a reverse proxy for a webservice. I configure the newServer.key and newServer.crt in Nginx for https.
ssl_certificate /etc/pki/tls/certs/newServer_1.crt;
ssl_certificate_key /etc/pki/tls/private/newServer.key;
I am on another Ubuntu host. I import the CA's certificate testCA.crt into Ubuntu truststore, as below:
cp testCA.crt /usr/local/share/ca-certificates/
update-ca-certificates
The Ubuntu's built-in browser is firefox. I also import testCA.crt
into firefox's truststore. Please see attached pic.
I open firefox browser and visit web server by https. Expected result is it can directly open webpage without security warning.
Unfortunately, it gives warning of "Your connection is not secure.....".
and, looks like the certificate only contains the certificate itself. It doesn't not contain CA's certificate.
Why this happen? How can I get a signed certificate with the CA's certificate in Chain?
Thanks & regards,
Jie
Thanks for your comments.
That's right.
Actually, it is very simple. The 2 .crt files of CA and server can be concatenated into one .crt. Then the certificate chain is a whole.
Right, the pictures of 2 and 3 are other problems.
Thanks,
Jie
I understand to use https with Vue CLI I can set "https: true" under devServer in a vue.config.js file, but I also need a self signed certificate.
I've tried generating a self signed one using OpenSSL and using the following in my vue.config.js file to target:
const fs = require('fs');
module.exports = {
devServer: {
port: '8081',
https: {
key: fs.readFileSync('./certs/server.key'),
cert: fs.readFileSync('./certs/server.cert'),
},
},
};
Chrome confirms it's using my certificate but still shows https as "Not secure"
How can I make chrome assess my self signed certificate as secure when providing it via Vue CLI?
Simply enter this in your Chrome
chrome://flags/#allow-insecure-localhost
Set to Enabled, restart Chrome, and you're good to go.
My problem was that everybody talks about putting the cert properties in the "https" child configuration node, but this doesn't work, you hve to put it in the devServer config node:
module.exports = {
devServer: {
port: '8081',
https: {
key: fs.readFileSync('./certs/server.key'),
--> this is WRONG
This is the correct way:
module.exports = {
devServer: {
disableHostCheck: true,
port:8080,
host: 'xxxxxx',
https: true,
//key: fs.readFileSync('./certs/xxxxxx.pem'),
//cert: fs.readFileSync('./certs/xxxxxx.pem'),
pfx: fs.readFileSync('./certs/xxxxxx.pfx'),
pfxPassphrase: "xxxxxx",
public: 'https://xxxxxx:9000/',
https: true,
hotOnly: false,
}
}
Use the network path rather than loopback or localhost. For example
https://192.168.2.210:8080/
works fine, while
https://localhost:8080/ and https://127.0.0.1:8080 balk at the certificate problem.
You are doing right, but you also have to add the self-signed cert inside certification authorities of your browser, as it is self-signed.
Instead of using a self-signed certificate, you can also create a root certificate, and then generate a localhost or other server identifier certificate. I recommend this solution because this way you can generate certificates for all non production environments and import only one custom certification authority.
There are many sites where you can find how to do it, one of them I think it's very clear is How to create an HTTPS certificate for localhost domains. Basically you have to follow these steps described in that link:
Generate certification authority key:
openssl req -x509 -nodes -new -sha256 -days 1024 -newkey rsa:2048 -keyout RootCA.key -out RootCA.pem -subj "/C=US/CN=Example-Root-CA"
Here we have to change the parameters as we wish, mainly -sub parameter.
Generate certificate for certification authority
openssl x509 -outform pem -in RootCA.pem -out RootCA.crt
Generate key for localhost
openssl req -new -nodes -newkey rsa:2048 -keyout localhost.key -out localhost.csr -subj "/C=US/ST=YourState/L=YourCity/O=Example-Certificates/CN=localhost.local"
Where you have to change -subj as you need or leave it that way.
Generate localhost certificate by creating a certificate config file and request openssl to generate it.
This is the certificate config file:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = #alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = fake1.local
DNS.3 = fake2.local
And this is the command to generate the certificate:
openssl x509 -req -sha256 -days 1024 -in localhost.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -extfile domains.ext -out localhost.crt
Once you have the certificate, you have to import the certification authority on your preferred browser. You can, also, follow 3 and 4 steps for every server or virtual machine you need for development and use them without needing to import new certification authorities in your browser.
If you have legit certificates Chad Carter gives a good explanation here: https://stackoverflow.com/a/57226788/2363056
The steps are as follows:
create vue.config.js in your projects root (if not there already)
add the following code to it:
const fs = require('fs')
module.exports = {
devServer: {
port:8080,
host: 'example.com',
https: true,
key: fs.readFileSync('/etc/ssl/keys/example.com.pem'),
cert: fs.readFileSync('/etc/ssl/keys/example.com/cert.pem'),
https: true,
hotOnly: false,
}
}
when serving your project, ensure https is enabled (ie. $ vue-cli-service serve --https true)
I use the mkcert to create trusted https cert on windows OS.
mkcert.
Last thing you should do is openning your OS explorer, click the install.bat file
I have Tomcat-Apache set up to serve my application using 443(Apache).
Configured Apache for root certificate and key for enabling HTTPS access for my application.
On server i had to install this certificate to user personal store for HTTPS access.
Problem is if client wants to access he needs to manually install the certificate first. These are self signed certificates generated via openSSL.
openssl req -new -x509 -days 1024 -key ca.key -out ca.crt -config openssl.cnf
Is there a way to configure Apache, or install certificate in another store for client to trigger auto installation of certificate while accessing the site?
I've set up an internal pypi server for internal projects.
It's hosted at https://<USER>:<PASS>#<INTERAL>/pypi with a self-signed certificate.
I can get pip to use this repository in addition to the central pypi server using extra-index-url in ~/.pip/pip.conf. As the certificate to my server is self-signed, and pip isn't using the system-wide (keychain) certificated, I've made it aware of it using cert = ... in the config file:
extra-index-url = https://<USER>:<PASS>#<INTERAL>/pypi
cert = /path/to/cert.pem
Now, whenever I install something using pip install, I get a warning that the certificate can't be verified for https://pypi.python.org:
$ pip install <PACKAGE-NAME>
Collecting <PACKAGE-NAME>
Could not fetch URL https://pypi.python.org/simple/<PACKAGE-NAME>/:
There was a problem confirming the ssl certificate: [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) -
skipping
Is there any way to tell pip only to use the self-signed certificate only for the extra-index-url repository?
Pip uses it's certificate bundle (a file) that can be found by running:
python -m pip._vendor.requests.certs
The bundle is just a file with certificates concatenated, one after another. We want to tell pip to use those AND our certificate,
so generate a new file using
cat $(python -m pip._vendor.requests.certs) /path/to/my/cert.pem > /path/to/my/bundle.pem
and make sure your .pip/pip.conf file contains something along these lines:
[global]
extra-index-url = https://user:pass#my-pypi.com
cert = /path/to/my/bundle.pem
Finally, you might want to periodically update /path/to/my/bundle.pem (in a cronjob or whatever).
Other notes
I also got the following error:
SubjectAltNameWarning: Certificate for my-pypi.com has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
Normally, you'd create a certificate something like:
openssl req -new -x509 -nodes -key my.key -out cert.csr -days 365
Instead, copy your openssl.cnf (possibly in /etc/pki/tls/openssl.cnf) to your working directory, and add an extension by adding the following to the end of the file:
[ san_env ]
subjectAltName=DNS:mypypi.com
and generating your certificate with
openssl req -new -x509 -nodes -key my.key -out cert.csr -days 365 -config openssl.cnf -extensions san_env
In addition, pip wants your certificate in a different format, which can be generated using
openssl x509 -inform der -in cert.cer -out cert.pem
This file cert.pem can be concatenated with the python ca bundle as described above to generate your custom bundle.
I'm setting up a mysql server and am trying to have a mysql client connect to it over SSL. I'm going to be using a self signed certificate for the same. Reading the MySQL documentation on setting up SSL I see that I have to specify the path to the following files :-
the SSL root CA
the SSL certificate
the SSL private key
In this particular case, should I be setting both the root CA and the certificate to my self signed certificate?
Example of how to create properly a Self-Signed SSL Certificate.
Su to root and create a directory that only the root account has access to.
su -
mkdir certificates
chmod 700 certificates
cd certificates
Use openssl to generate a server key
openssl genrsa -des3 -out server.key 4096
Openssl will request a pass phrase. Type in a sentence that is long and complex but that you can remember (you'll have to type it at least twice). Try to make it at least 40 characters long, with punctuation and capital and lowercase letters. The more different characters you use the better.
Then create the certificate signing request with the server key you created in step 2.
openssl req -new -key server.key -out server.csr
Sign your certificate using SSL.
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
You can set your certificate for any number of days, but I recommend 365 so that you remember to update it once a year.
Once you're done, you'll have the following files:
server.crt: The self-signed server certificate
server.csr: Server certificate signing request
server.key: The private server key, does not require a password when starting Apache
Place those files where they are required for your Web server, and turn on HTTPS. (If you don't know how, contact your server administrator.)