What's new

Tool to manage your own Certificate Authority

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

RMerlin

Asuswrt-Merlin dev
Staff member
We discussed it a few months ago in another thread on how we needed a simple way for people to be able to generate their own SSL certificates so they could start better protecting their internal devices. Eventually I had found that tool, but lacked time to start diving into it. I only recently remembered it was sitting on my system, and started looking into it these past few days.

https://hohnstaedt.de/xca/index.php

This tool provides you with a GUI for all of your keys and certificate management needs. You can (relatively) easily use it to create your own Certificate Authority, and sign your own certificates with it. All you have to do is import your own CA root certificate on your computers at home, and then start emitting certificates for all your internal devices that support them (like most NAS, and Asus routers for instance). The beauty of it is that once you import that root certificate, any certificate you sign with it will be recognized as trustworthy by your browsers. No more security alerts. My own Asus RT-AC88U for instance now look like this in Chrome:

upload_2018-3-5_22-33-57.png


There's some learning curve involved however, especially if you're not familiar with how SSL certificates work. But tons of documentation on the web is available.

Ultimately, I believe the market still need a simpler way to manage it, for SSL neophytes. But if you're willing to start learning, or if you're already quite familiar with them, XCA can be a great tool to easily secure your internal devices without having to constantly click to accept untrusted self-signed certificates.
 
We discussed it a few months ago in another thread on how we needed a simple way for people to be able to generate their own SSL certificates so they could start better protecting their internal devices. Eventually I had found that tool, but lacked time to start diving into it. I only recently remembered it was sitting on my system, and started looking into it these past few days.

https://hohnstaedt.de/xca/index.php

This tool provides you with a GUI for all of your keys and certificate management needs. You can (relatively) easily use it to create your own Certificate Authority, and sign your own certificates with it. All you have to do is import your own CA root certificate on your computers at home, and then start emitting certificates for all your internal devices that support them (like most NAS, and Asus routers for instance). The beauty of it is that once you import that root certificate, any certificate you sign with it will be recognized as trustworthy by your browsers. No more security alerts. My own Asus RT-AC88U for instance now look like this in Chrome:

View attachment 12193

There's some learning curve involved however, especially if you're not familiar with how SSL certificates work. But tons of documentation on the web is available.

Ultimately, I believe the market still need a simpler way to manage it, for SSL neophytes. But if you're willing to start learning, or if you're already quite familiar with them, XCA can be a great tool to easily secure your internal devices without having to constantly click to accept untrusted self-signed certificates.
Sweet, I'll dive into this once I finish up the beta upgrade & smart connect rule's. While the the insecure error was a minor annoyance, glad to see a permanent fix in the form a CA :)

I haven't looked at the doc's yet, and didn't see it mention. But, does it come with TLS 1.2 instead SSLv3?

Sent from my LG-H830 using Tapatalk
 
I haven't looked at the doc's yet, and didn't see it mention. But, does it come with TLS 1.2 instead SSLv3?

Certificate generation is unrelated to the protocol used by the client/servers.
 
I am using this at home for a few years now and still loving it.

Verstuurd vanaf mijn SM-G955F met Tapatalk
 
Sounds like a great opportunity for someone to write up a basic 'how-to' guide tailored to generating the certs for a typical home setup :)

Yes. They do have a starting point on their website (wish I had seen it before fiddling with it on my own). But there's potential for a well-written guide there. (@thiggins , too far from your usual field of expertise to have a shot at something like that for SNB?)
 
There's some learning curve involved however, especially if you're not familiar with how SSL certificates work. But tons of documentation on the web is available.

Ultimately, I believe the market still need a simpler way to manage it, for SSL neophytes. But if you're willing to start learning, or if you're already quite familiar with them, XCA can be a great tool to easily secure your internal devices without having to constantly click to accept untrusted self-signed certificates.

Neat tool - there are command line options for generating keys and managing them, but they are a bit obtuse and the learning curve for those utilities is steep - XCA will make this easier for those new to key management and creating/maintaining a PKI. The XCA manual and tutorials go a long way to explain and teach new users (as well as experienced folks that have to manage keys).

One thing to point out - they're in need of translators to maintain several languages - Spanish, Turkish, and Russian, and the author is open to someone that may want to contribute some time and effort to update and maintain those translations.
 
Neat tool - there are command line options for generating keys and managing them, but they are a bit obtuse and the learning curve for those utilities is steep

And even EasyRSA was only a minor step forward (I use EasyRSA to manage certs for my customers with OpenVPN servers). XCA got me to finally manage a CA and emit my own certificates for my LAN devices. Importing the CA certificate on two computers so all my certs can be trusted is a nice convenience (and it took care of some major issues I was having with my Asuswrt development setup).
 
And even EasyRSA was only a minor step forward (I use EasyRSA to manage certs for my customers with OpenVPN servers). XCA got me to finally manage a CA and emit my own certificates for my LAN devices. Importing the CA certificate on two computers so all my certs can be trusted is a nice convenience (and it took care of some major issues I was having with my Asuswrt development setup).

Yep, I agree...

@thiggins - gentle nudge here for cert management - this is relevant for the SNB community...

XCA isn't a science project, they've been around for quite some time, and there is a lot of benefit here for small business folks...
 
Or I suppose someone else could write it, and resell it to Tim for publication - not sure how Tim handles article contributions.
 
I have been able to get by using a standard wildcard certificate to secure most things. if only vmware would support wildcard certs in esxi...
 
Just thought I'd give this one a refresh....anybody?

I may end up giving it a try and stumbling my way through it....@RMerlin, any hints/gotchas you encountered that you remember?
 
I just had a look at the XCA website today and noticed there is a new version of the application (I was still on 1.40).
Think I will do the update to 2.01 this weekend.

I was planning to write something about the usage of XCA like requested, but noticed almost all I wanted to write about is already on the XCA site.
Did you have a look at his Step by Step guides? http://hohnstaedt.de/xca/index.php/documentation/stepbystep
 
Just thought I'd give this one a refresh....anybody?

I may end up giving it a try and stumbling my way through it....@RMerlin, any hints/gotchas you encountered that you remember?
Plan things ahead. Do a few experiments, then when confident delete everything and start anew.

I created a template for my home uses, makes it easier to issue certificates for all my devices.

I'd have to check my configs to remember the details, I'm not in front of my PC at the moment.


Sent from my P027 using Tapatalk
 
BTW thanks for the heads up about 2.0.1. I only monitor the SF site, and they are still at 1.4.1 there.
 
Just thought I'd give this one a refresh....anybody?

I may end up giving it a try and stumbling my way through it....@RMerlin, any hints/gotchas you encountered that you remember?

Prior knowledge of how SSL certs work definitely helps. My recommendation:

1) Decide what local domain you wish to use on your LAN if you don't already have one. myhome.lan, etc...
2) Decide if you want to create a different private key per certificate, or reuse the same key for each. The latter is obviously less secure, but if it's just to cover your LAN devices, might be simpler to have only one key. What I did here is create one key dedicated to my LAN devices (routers, NAS, etc...). Anything that requires more security, I create a unique key.
3) Create your CA
4) Create a template that you will use for your certs. The important fields to look for (that I can remember) are the X509 SAN (so you can have, for instance, 192.168.1.1, myrouter, and myrouter.myhome.lan all valid), and certificate type. Here for my template:

upload_2018-5-11_15-2-43.png


Also pay attention to the expiration date, both for the CA and your certs. Personally I went with 10 years.
 
Well, this turned out to be pretty simple....just followed the step-by-step guide and Merlin's hints :) Used a common private key for all my local devices.

XCA db
xca_setup.png


And my CA loaded in FireFox
xca_ca.PNG


Only 'quirk' I ran into is that I had to repeat the Common name in the Subject Alternate Names for it to be recognized.
And, I had to make a couple of tweaks on my fork to make it easier to import the new cert.
 
Only 'quirk' I ran into is that I had to repeat the Common name in the Subject Alternate Names for it to be recognized.

This is actually normal. In fact, the CN attribute is being deprecated, in favor of the SAN attribute.

Also, IE has problems with the DNS field, so when specifying an IP, you'll want to specify it both as a DNS and an IP within the SAN attributes.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top