2
0
mirror of https://github.com/opnsense/docs synced 2024-11-09 01:10:33 +00:00
opensense-docs/source/manual/how-tos/self-signed-chain.rst

335 lines
13 KiB
ReStructuredText
Raw Normal View History

2018-07-14 18:49:57 +00:00
==================================================
Setup Self-Signed Certificate Chains with OPNsense
==================================================
This how-to describes the process of creating **self-signed certificate chains**
with the help of OPNsense which has all the tools available to do so.
Chains give the possibility to verify certificates where a single one is nothing
more than that, a single certificate.
Look at the default install, one certificate is created for the webgui/dashboard. There is
nothing wrong with that certificate if we use a real world CA, but we do not. We
create our own chain so that one has no purpose once done.
2018-07-31 14:51:11 +00:00
Should you even consider using **self-signed certificate chains** in this age of free available
2018-07-14 18:49:57 +00:00
certificates?
* Self-signed certificate are just as secure as real world certificates.
* They are trustworthy chains, you **know** all parties.
* Intranets are often set up with these chains.
* Depending on what you do with your network/servers this is a good solution.
* Creating your own chain will give some insight in the process.
* Only use them if you are sure you can. Read about the concept in common there is a lot of info on the net.
What you should not do with a self-signed chain:
* Use them for a web-facing server.
What you should know about self-signed certificates:
* They are **only** as trustworty as the person, company or organization signing it.
* Using these certificates **can** be a security risk if you are the one trusting them and not a CA.
2018-07-31 14:51:11 +00:00
A chain will need at least a CA and certificate; an intermediate CA is not needed, but in case of a
2018-07-14 18:49:57 +00:00
compromise the CA key would be compromised too.
The chain we are going to create will be made with the following ingredients:
* **CA** ``=`` certificate authority ``=`` root certificate ``-->`` signs intermediate certificates
* **Intermediate CA** ``=`` subordinate certificate ``=`` signed by CA ``-->`` signs certificates
* **Certificate** ``=`` signed by Intermediate CA ``=`` can be used for different services
.. Note::
2018-07-31 14:51:11 +00:00
This document uses **CN - Common Name** should be read as: **SAN - Subject Alternative Name** and
2018-07-14 18:49:57 +00:00
will be used if present.
Please backup before you proceed.
---------------------------
Create a Chain for OPNsense
---------------------------
The Authority
-------------
The first certificate to create is the **CA**. The only thing this CA
does is sign the intermediate CA next in the line of trust.
.. Note::
Self-signed root CA's anchor trust chains, they are vital and OpenSSL requires them for your chain of trust.
Go to **Trust/Authorities**
.. image:: images/trust.png
Some entries in the form are showed here. Click on the thumbnail for a picture.
When you are done save the form, the CA is now generated.
====================== =================================== ========================================
**Descriptive name** opnsense-ca *Choose a name that makes sense to you*
**Method** create an internal ca *Main purpose of CA*
**Common Name** internal-ca *Default is fine, change to liking*
====================== =================================== ========================================
.. image:: images/CA.png
:width: 100%
2018-07-14 18:49:57 +00:00
.. Tip::
Always use valid email addresses for your certificates.
Bogus addresses can pose a security risk and not only for certificates.
2018-07-14 18:49:57 +00:00
The Intermediate
----------------
Time to create the second CA, which is an **intermediate CA**. This certificate will be signed
2018-07-14 18:49:57 +00:00
by the root CA we just created. In return it will sign the sever certificate for OPNsense.
Go to **Trust/Authorities**
Have a look at the form, create an intermediate CA and save it.
====================== =================================== ========================================
**Descriptive name** opnsense-ca-intermediate *Choose a name that makes sense to you*
**Method** create an intermediate ca *Main purpose of CA*
**Common Name** intermediate-ca *Default is fine, change to liking*
====================== =================================== ========================================
.. image:: images/CA-inter.png
:width: 100%
2018-07-14 18:49:57 +00:00
The Certificate
---------------
The thirth certificate will be a **server certificate** signed by the intermediate CA we just created.
This will also be the last one we create for this chain.
Go to **Trust/Certificates**
Have a look at the next form and notice the common name, create a server certificate and save it.
====================== =================================== ========================================
**Descriptive name** opnsense-ca-intermediate *Choose a name that makes sense to you*
**Method** create a server certificate *Main purpose of certificate*
**Common Name** opnsense.localdomain *This should reflect the FQDN see Tip*
====================== =================================== ========================================
.. image:: images/webgui-cert.png
:width: 100%
2018-07-14 18:49:57 +00:00
.. Tip::
When creating the server certificate make sure the **CN - common name**
is in fact the the **FQDN - Fully Qualified Domain Name**.
You can find it on **Linux/Unix** with this command ``hostname -f``
Now we need to start using the chain:
* Download the intermediate CA.
.. image:: images/export_CA_cert.png
- * Open your browser and go to **Preferences/Certificate/Authorities**
* Import the downloaded CA.
* Go back to the dashboard & open **System/Settings/Administration**
* Set **SSL-Certificate** to use the new server certificate.
2018-07-31 14:51:11 +00:00
Open your browser and open the OPNsense/webgui page. You should be presented with a certificate that is
2018-07-14 18:49:57 +00:00
verified by your intermediate CA.
---------------------------------------
A Chain for Your Local Nextcloud Server
---------------------------------------
The local chain for Nextcloud server so we can use OPNsense backup to Nextcloud.
Go ahead and create a new chain **CA -- intermediate CA -- server cert.**.
.. Note::
The certicate store on your OPNsense **ca-root-nss** is not aware of the CA
we are generating that is why we need to add this CA to the store.
.. Note::
| Performing a Health audit **System/Firmware** raises an alert after adding the CA to the store:
| alert: **checksum mismatch for /usr/local/share/certs/ca-root-nss.crt**
| The sum of the file does not match the sum saved in the system after adding the CA.
.. Tip::
2018-07-31 14:51:11 +00:00
| You can check if **ca-root-nss** has changed:
2018-07-14 18:49:57 +00:00
| Do a health check before you add the CA.
| If the check was okay add the CA to the store.
| Create a new checksum & save it :
| ``cksum /usr/local/share/certs/ca-root-nss.crt > sum.txt``
| You can now 'always' check the sum against the result you have stored
| ``cksum /usr/local/share/ca-root-nss.crt | sort | diff sum.txt -``
The Nextcloud Authority
-----------------------
Go to **Trust/Authorities** create a new CA for Nextcloud and save it.
.. image:: images/trust.png
====================== =================================== ========================================
**Descriptive name** nextcloud-ca *Choose a name that makes sense*
**Method** create a ca *Main purpose of CA*
**Common Name** nextcloud-ca *Change to liking*
====================== =================================== ========================================
.. image:: images/CA-cloud.png
:width: 100%
2018-07-14 18:49:57 +00:00
OPNsense needs to be made aware of the Nextcloud chain we are creating.
* Download the **CA.crt** and upload it back to OPNsense in a secure way.
.. image:: images/export_CA_cert.png
- * For this you can use ``scp`` (see) ``man scp``
* Install the **CA.crt** with ``cat``, you cannot just copy it to the store because it is a single file.
**The following command will append it to the store**
::
cat nextcloud-ca.crt >> /usr/local/share/certs/ca-root-nss.crt
.. Warning::
If **ca_root_nss** is updated your certificate is removed and needs to be added overnew.
If you created a **sum.txt** you need to create it again, see previous Tip.
.. Tip::
Remove the CA from the store? Use ``vi``, the added CA will be the
last one below **#End of file**
The Nextcloud Intermediate CA
-----------------------------
Next in line will be the **intermediate CA** which will be signed by the root CA we did just create.
This intermediate CA will sign the Nextcloud server certificate.
Go to **Trust/Authorities** and create an intermediate CA.
====================== =================================== ========================================
**Descriptive name** nextcloud-intermediate-ca *Choose a name that makes sense to you*
**Method** create an intermediate ca *Main purpose of CA*
**Common Name** cloud.localdomain *Change to liking*
====================== =================================== ========================================
.. image:: images/CA-cloud-inter.png
:width: 100%
2018-07-14 18:49:57 +00:00
Download the intermediate CA and install it to your browser:
* Head to the webgui **Trust/Authorities** export **nextcloud-intermediate-ca.crt**
* Back to the browser, open **Preferences/Certificate/Authorities**
* Import the intermediate CA into the certificate store from your browser.
The Nextcloud Server Certificate
--------------------------------
Next we create the server certificate for the Nextcloud server.
Go to **Trust/Certificates** create a server certificate.
====================== =================================== ========================================
**Descriptive name** cloudserver-cert *Choose a name that makes sense to you*
**Method** create a server certificate *Main purpose of certificate*
**Common Name** cloud.localdomain *Should reflect the FQDN*
====================== =================================== ========================================
.. image:: images/cloud-cert.png
:width: 100%
2018-07-14 18:49:57 +00:00
We need to install this certificate and key to our Nextcloud server, two ways are shown here.
* Upload the ***.p12** archive to your Nextcloud server in a safe way.
* Extact the archive into a single **PEM** file and create a certificate and a key.
* Use the following commands for a key and certificate:
::
openssl pkcs12 -in nextcloud-crt.p12 -nodes -out nextcloud.key -nocerts
openssl pkcs12 -in nextcloud-crt.p12 -clcerts -nokeys -out nextcloud.pem
cp nextcloud.pem nextcloud.crt
2018-07-31 14:51:11 +00:00
2018-07-14 18:49:57 +00:00
- * Or use the next quick and dirty method for a single key/certificate file:
* Upload the ***.p12** archive to your Nextcloud server, in a safe way..
2018-07-31 14:51:11 +00:00
* Extact the archive into a single **PEM** file and create a certificate.
2018-07-14 18:49:57 +00:00
::
openssl pkcs12 -in nextcloud-crt.p12 -out nextcloud-crt.pem -nodes
cp nextcloud-crt.pem nextcloud-crt.crt
- * **/etc/ssl/localcerts** will be alright for the certificate or choose your own prefered location.
* If the key was extracted separatly, **/etc/ssl/private** would be a good choice.
2018-07-31 14:51:11 +00:00
* Be sure to set sane permissions on the private directory, ``700`` would do it.
2018-07-14 18:49:57 +00:00
* You could set ``umask`` too (see) ``man umask`` - on your Linux box.
* Edit the webserver config to use the certificate and key or single key-cert file.
* Sane permissions, ``400`` read only owner is sufficent.
You should now be able to backup to nextcloud and have a verified page.
- :doc:`cloud_backup`
After setting up the Nextcloud backup everything should work.
Troubleshooting:
| The backup to Nextcloud fails and recieve error:``verify_result 2`` in **System/LogFiles**
| Issuer unknown because of an incomplete chain: the CA (issuer!) is missing.
| The Nextcloud CA was not installed to OPNsense certificate store **ca-root-nss**.
-----------------------------
Chain for the Local Webserver
-----------------------------
This following **chain** we create is basically the same as the previous chain for Nextcloud server.
If needed use the pictures from the Nextcloud chain.
Create a chain for your server **CA - intermediate CA - server cert.**
Once done go through the following points:
* Download the server.p12 archive.
* Upload it to the server and extract the archive.
* Store the certificate and key respectively in **/etc/ssl/localcerts** and **/etc/ssl/private**
* Use the following commands for that:
::
openssl pkcs12 -in server.p12 -nodes -out server.key -nocerts
openssl pkcs12 -in server.p12 -clcerts -nokeys -out server.pem
cp server.pem server.crt
Or if you want to use a single file:
::
openssl pkcs12 -in some-server-crt.p12 -out some-server-crt.pem -nodes
cp some-server-crt.pem some-server-crt.crt
- * Some sane permissions on them.
* Set the server to use the installed certificate.
* Download the intermediate CA.
* Install it in your browser.
* Head to the webservers page and be presented with a verified certificate.