Certificate auto installation for SSL communication [Client] - apache

I have Tomcat-Apache set up to serve my application using 443(Apache).
Configured Apache for root certificate and key for enabling HTTPS access for my application.
On server i had to install this certificate to user personal store for HTTPS access.
Problem is if client wants to access he needs to manually install the certificate first. These are self signed certificates generated via openSSL.
openssl req -new -x509 -days 1024 -key ca.key -out ca.crt -config openssl.cnf
Is there a way to configure Apache, or install certificate in another store for client to trigger auto installation of certificate while accessing the site?

Related

Page is working but showing "Not Secure" sign on browser (configured with Traefik v2 using self-signed cert)

I apologize if this is a silly rookie question, I'm not really experience in dealing with SSL / https so please help me out.
I have docker swarm setup and using Traefik to handle all the HTTPS services. when I first load the page (take grafana page for example), there is a warning page and I click "Advanced" and "Proceed (accept risk)", then the page display and working just fine, the only problem is the "Not Secure" sign showing on browser.
A few things could be contributing to this:
Self-created CA and self-signed cert: I'm at development stage so I created my own CA and signed the cert using openssl, and use this cert in Traefik dynamic configuration.
Command to generate CA:
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca.pem
Command to generate self-signed cert:
openssl req -newkey rsa:2048 -days 365 -nodes -keyout key.pem -out req.pem
openssl x509 -req -in req.pem -days 365 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out cert.pem
See attached screenshot for the errors of the certs: "Subject Alternative Name missing" & "This site is missing a valid, trusted certificate (net::ERR_CERT_AUTHORITY_INVALID)."
Chrome Dev Tool Certificate Error
Traefik configuration: Not using Let's Encrypt since I don't have an account, so using my own self-signed cert. I don't think this is the issue because I can see the page is using the cert I provided. But if anyone has similar experience with Traefik v2 maybe can give me some pointer if there is anything I set wrong?
Dynamic configuration file that declares the certs:
tls:
stores:
default:
defaultCertificate:
certFile: configuration/cert.pem
keyFile: configuration/key.pem
Question:
Is missing SAN a really important factor that will causes my page to be not secure? If yes, how can I add SAN while creating cert with openssl?
I understand that 2nd error "ERR_CERT_AUTHORITY_INVALID" means browser doesn't recognize the cert's validity. Does that mean I have to install my CA? Where and how to install it? Is it on docker swarm's manager node (this is where Traefik service and the certs at), or is it on any client's machine that trying to access the page?

OpenSSL self signed certificate entirely blocked

I create self-signed certificate now my problem is Firefox,Safari and even IE will not allow me at all to visit my own page. I can't even click on ignore or similar. It will just block me from visiting mypage.io.
MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT certificate is not valid for 81.33.34.123 (fake ip)
My openssl certificate key and crt creation was like this:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.crt
It prompts me to enter some more detail, and I think the problem is where it asks me about "Common Name (e.g. server FQDN or YOUR name)". I answered with www.mypage.io .
It's an unfinished project so I will not buy a certificate yet.
The trust is missing!
Please get a real certificate. You do net even have to buy on: https://letsencrypt.org/ provides them for free.
If you (for whatever reason) stick with your certificate:
IE: Import it to the trusted root certificate authority store (certlm.msc).
Mozilla: Look here
Alternatively please find information on how to generate your own trust chain with open SSL here: How to make browser trust localhost SSL certificate?

Mosquitto with SSL, Why do I generate .csr?

I am not familiar with SSL/TLS, I am trying to setup my moquitto broker with SSL. For testing purpose, I am not using a real rootCA, I create my own rootCA. Here is how I think what SSL is, correct me if I was wrong, I am a noob.
rootCA could issue second layer ca, cert, keys, and client/server exchange these information, when it needs to verify the identity of the others, it will bring these information to the rootCA and ask if that is correct.
so, I follow the documentation of Mosquitto, use OpenSSL to generate rootCA.crt, server.crt, server.key. I've also generated client.crt and client.key, so that when my client application connect to Mosquitto broker, the broker could identify that connection.
I added the ca file, key file, cert file configuration to my local.conf. Restart Mosquitto, it works.
Then I use mosquitto_sub with ca.crt, client.crt and client.key to connect to broker, that works out too.
What I don't understand is that, why does the documentation teaches me how to generate server.csr and client.csr?
I am guessing if I am not the rootCA, I need to send these csr to the real rootCA for those certificate to become legit, is that what csr is for?
.csr is a certificate sign request to be signed with your CA.crt and CA.key you won't need to use it on your mosquitto broker only CA.crt and client.crt/key are required. If you want to test it out Download MQTT.fx client to check your MQTT connection with these certifications. http://mqttfx.jensd.de/
The openssl command would be for example:
x509 -req -in client.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out client.crt -days 365

Not able to download and Install IBM installer application using an iPAD( iOS 7.1)

I deployed the IBM app center on IBM worklight server 6.1 and enabled the SSL by generating SSL certificate using Liberty core's common utility and updated the server.xml according to that.
When I am accessing the link https://< serverIP >:< sslPort >/appcenterconsole/inst.html
It shows SSL error SSL certificate not matches the server URL this is my first problem.
On chrome it shows an option to proceed anyway after that I am able to access the page which has IBM App Center installer application using my username and password.
But when I click on the link of the application to download and install the app it shows message that Cannot connect to < serverIP > this is my second problem
You generated a self-signed certificate. Per documentation, IBM Application Center does not support self-signed certificates. You need to purchase an official SSL certificate from a certificate authority. This limitation comes actually from iOS.
There is a complex workaround, but I recommend this only for testing. The workaround is not really suitable for production:
Generate a special self-signed certificate with CA flag set to true. This makes the certificate also a certificate authority. Note: Most instructions on the web are only valid for self-signed certificates with CA flag set to false. If you use openssl, use the options -reqexts v3_req -extensions v3_ca
Import this SSL certificate into your device. See here and in its subsections for details. This should also work for 6.1 even though the documentation link is for 6.2
Install this certificate for your webserver and proceed as usual.
You dont need to purchase nothing, you just need to create a CA certificate with an apple mac, install it to the device and u will be allowed to download the apps, easy peasy
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out cerficate.crt -reqexts v3_req -extensions v3_ca
put your domain in the name field when required.
then
cat cerficate.crt privateKey.key > server.pem
then
openssl pkcs12 -export -in certificate.crt -inkey server.pem -out server.p12 -passout pass:passServerP12 -passin pass:passServer
Then to try it out:
openssl s_client -connect hostname:port
Hope i could help ;D

MySQL over SSL with self signed certificate

I'm setting up a mysql server and am trying to have a mysql client connect to it over SSL. I'm going to be using a self signed certificate for the same. Reading the MySQL documentation on setting up SSL I see that I have to specify the path to the following files :-
the SSL root CA
the SSL certificate
the SSL private key
In this particular case, should I be setting both the root CA and the certificate to my self signed certificate?
Example of how to create properly a Self-Signed SSL Certificate.
Su to root and create a directory that only the root account has access to.
su -
mkdir certificates
chmod 700 certificates
cd certificates
Use openssl to generate a server key
openssl genrsa -des3 -out server.key 4096
Openssl will request a pass phrase. Type in a sentence that is long and complex but that you can remember (you'll have to type it at least twice). Try to make it at least 40 characters long, with punctuation and capital and lowercase letters. The more different characters you use the better.
Then create the certificate signing request with the server key you created in step 2.
openssl req -new -key server.key -out server.csr
Sign your certificate using SSL.
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
You can set your certificate for any number of days, but I recommend 365 so that you remember to update it once a year.
Once you're done, you'll have the following files:
server.crt: The self-signed server certificate
server.csr: Server certificate signing request
server.key: The private server key, does not require a password when starting Apache
Place those files where they are required for your Web server, and turn on HTTPS. (If you don't know how, contact your server administrator.)