Tool to manage your own Certificate Authority

[john9527]

This is actually normal. In fact, the CN attribute is being deprecated, in favor of the SAN attribute.

Live and learn....maybe save someone else having to rediscover it.

Also, IE has problems with the DNS field, so when specifying an IP, you'll want to specify it both as a DNS and an IP within the SAN attributes.

Yes (I'm actually the one who found the IE tidbit )....I remembered that one...
Another good reminder for anyone else setting this up.

 

[Cousin Balki]

If you don't mind using the command line, this is a great tool that makes it easy to A) create your own cert authority, B) automatically configure your browser to use that authority, and C) create a certificate signed by that authority for your hostname/IP address: https://github.com/FiloSottile/mkcert. I used it to create a cert for my Asuswrt-Merlin instance--worked great. The tool appears to have been created an maintained by a Google engineer and is open source.

 

[Slawek P]

Live and learn....maybe save someone else having to rediscover it.

Yes (I'm actually the one who found the IE tidbit )....I remembered that one...
Another good reminder for anyone else setting this up.

Hi, my first post on SNB. Question for dummies - where exactly do I need to install new certifacte to stop getting warings when accessing local https of my asus merlin router 384.17. Do I need to restart/configure web service to pick it up ?

 

[Slawek P]

We discussed it a few months ago in another thread on how we needed a simple way for people to be able to generate their own SSL certificates so they could start better protecting their internal devices. Eventually I had found that tool, but lacked time to start diving into it. I only recently remembered it was sitting on my system, and started looking into it these past few days.

https://hohnstaedt.de/xca/index.php

This tool provides you with a GUI for all of your keys and certificate management needs. You can (relatively) easily use it to create your own Certificate Authority, and sign your own certificates with it. All you have to do is import your own CA root certificate on your computers at home, and then start emitting certificates for all your internal devices that support them (like most NAS, and Asus routers for instance). The beauty of it is that once you import that root certificate, any certificate you sign with it will be recognized as trustworthy by your browsers. No more security alerts. My own Asus RT-AC88U for instance now look like this in Chrome:

View attachment 12193

There's some learning curve involved however, especially if you're not familiar with how SSL certificates work. But tons of documentation on the web is available.

Ultimately, I believe the market still need a simpler way to manage it, for SSL neophytes. But if you're willing to start learning, or if you're already quite familiar with them, XCA can be a great tool to easily secure your internal devices without having to constantly click to accept untrusted self-signed certificates.

It feels I am so close, but hit final stumbling block: This certificate cannot be verified to a trusted certification authority.
So far:
- Using XCA created my own CA cert with its own key
- Created router cert with its own key considering all comments (SAN for all names and IPs) with a different key
- Uploaded to router cert and its key to my Asus Merlin
- Registered both certificates on my PC using power shell in my https://docs.microsoft.com/en-us/powershell/module/pkiclient/import-certificate?view=win10-ps in my machine cert root store

On the Certification paths in Chrome strangely info shows three levels looking from the bottom
- This certificate is OK for router
- This certificate is OK for CA
- But then it shows CA again on the top level with the error "This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store."
Must be something simple, but I am confused...

 

[HeMaN]

https://portal.threatpulse.com/docs/am/Solutions/ManagePolicy/SSL/ssl_chrome_cert_ta.htm

Verstuurd vanaf mijn SM-G955F met Tapatalk

 

[Slawek P]

https://portal.threatpulse.com/docs/am/Solutions/ManagePolicy/SSL/ssl_chrome_cert_ta.htm

Verstuurd vanaf mijn SM-G955F met Tapatalk

Thanks - do not see how this could help. First these options do not exist in Chrome anymore, secondly surely Chrome derives from machine store of certificates in registry, whcih is what powershell achieved

 

[HeMaN]

did not try the instructions myself so I believe you when you say they do not exist.

I looked at my chrome, can you check the ca is visible there (because on my pc I see a difference between local computer certificates and the browser certificates):

chrome://settings/privacy
more
manage certificates
(maybe some other similar options, I have a non-English installation)

if it is not there, import your ca.
if it is there I do not know why chrome say it is not


Verstuurd vanaf mijn SM-G955F met Tapatalk

 

[Slawek P]

did not try the instructions myself so I believe you when you say they do not exist.

I looked at my chrome, can you check the ca is visible there (because on my pc I see a difference between local computer certificates and the browser certificates):

chrome://settings/privacy
more
manage certificates
(maybe some other similar options, I have a non-English installation)

if it is not there, import your ca.
if it is there I do not know why chrome say it is not


Verstuurd vanaf mijn SM-G955F met Tapatalk

Thanks - found the Chrome setting, indeed my CA cert is not there, import is successful but afterwards it does not show or change anything. Really weird, think I will redo everything from scratch again..

 

[Slawek P]

Finally solved. Phew.

Create three levels in XCA - one Gold CA self-cetified, then a CA with shorter expiry certified by Gold CA, then server TLS certificate certified by previous CA.
I have chosen to add authority key field in the last two also. Do not forget to specifiy all SAN aliases! Upload router cert and key to your Asus.
Finally load both CA certs into to machine root store using PowerShell (or via Manage computer certificates from Control Panel) and Bob's your uncle!
All three browsers should pick it up nicely