[SOLVED] Trust self signed certificate

tomsk · 2023-06-06 06:51:50

Hello,

I created self signed certificates for my server on my LAN network, I uploaded it to the server and set up it, I added exception to the browser and it works, but I would like to trust it without exceptions, so I have 2 files (server.crt and server.key), where I have to put them if I want to trust these certificate on operating system level?

I read that I have to put it into: `/etc/ca-certificates/trust-source/anchors/` and run `trust extract-compat`, but it didn't work.

I need to have trusted it on operating system level, because I am running Bitwarden server and Bitwarden desktop application doesn't connect to it if it is not trusted.

Last edited by tomsk (2023-06-08 11:16:38)

schard · 2023-06-06 07:42:07

If you set up a PKI, e.g. with easyRSA, you should not let the client trust the server's certificate directly, but the CA's root certificate with which you should have signed the server's certificate. Also beware that keys, unlike certificates, are private. The server's key is for the server's eyes only.

Last edited by schard (2023-06-06 07:42:19)

seth · 2023-06-06 08:00:57

https://wiki.archlinux.org/title/Transp … rust_store ?

Edit: schard's objection still holds

Last edited by seth (2023-06-06 08:02:16)

tomsk · 2023-06-06 08:31:57

schard wrote:

If you set up a PKI, e.g. with easyRSA, you should not let the client trust the server's certificate directly, but the CA's root certificate with which you should have signed the server's certificate. Also beware that keys, unlike certificates, are private. The server's key is for the server's eyes only.

So firstly I need to create CA certificate, sign that my server.crt with that CA certificate and add CA certificate as trusted (not the server certificate)?.

seth wrote:

https://wiki.archlinux.org/title/Transp … rust_store ?
Edit: schard's objection still holds

Should I run it as sudo? If I run as user I got `p11-kit: no configured writable location to store anchors` and when I run it as sudo it went ok, but didn't help, still it is not trusted.

LevitatingBusinessMan · 2023-06-06 10:03:04

Yes you create a CA, then a certificate. Then you use the CA to sign that certificate.

The CA is what should be trusted.

You have to run it as sudo (as indicated by the `#` prompt sign). The trust store is system-wide.

lfitzgerald · 2023-06-07 05:48:57

I use a self-signed cert, I do "sudo trust anchor /path/to/certificate.crt" and it works after that (might be a few mins due to cache etc, I'd use a CLI tool like curl to be sure). Some programs (like mainstream browsers) can ship with their own bundled certificates, so don't rely on those to test, although on Arch I haven't had many issues with that.

The .key file is the server's private key that it uses to encrypt the TLS connection. It should be very very hidden and only known to the server. Otherwise it's like when you use GPG to email a guy who's known to leak his private key all the time so it's a false security.

Just self-signed won't do you much good though. These days there's a lot of FUD about how self-signed is evil, https://en.wikipedia.org/wiki/Trust_on_first_use doesn't work and we should all happily pay CAs 30k so they can make a phone call and run an openssl command. So if you want your own certs to really work you need to create your own CA certificate and use that to issue certs to your server. My setup is like this:

1. Create a certificate for a root CA, tagged "ca" and "cert_signing_key" in in GnuTLS config. This is self-signed.
2. Create a certificate for an intermediate CA, tagged with "ca" and "cert_signing_key", and limited to my server's domain (so it can't issue certs for wikipedia.com). This is signed by the root CA.
3. Create a certificate for the server. This is signed by the intermediate CA.

I then install the intermediate CA's crt file on my client machines. This allows me to rotate the server cert without having to reinstall the cert on clients. It's technically overkill - you can have just a root CA signing the server, and install the root CA's crt on clients. However, this way the intermediate CA is technically not self signed, which gives me one less thing to worry about with overzealous programs that are hellbent on saving me from my impertinent CA-hating self. The key files for both CAs are stored securely. The key file of the server sits on the server where nginx can see it and never leaves it.

This is all rather tedious to deal with so I'd recommend creating some kind of git repo with scripts and/or a makefile, documentation, etc. Also GnuTLS is much easier to deal with than openssl. There's also tools like https://github.com/rabbitmq/tls-gen but I haven't used them much.

schard · 2023-06-07 07:24:37

lfitzgerald wrote:

This is all rather tedious to deal with so I'd recommend creating some kind of [...] scripts [...]

You mean like Easy-RSA?

tomsk · 2023-06-08 11:16:19

Got it it works now Thank you

Arch Linux

#1 2023-06-06 06:51:50

[SOLVED] Trust self signed certificate

#2 2023-06-06 07:42:07

Re: [SOLVED] Trust self signed certificate

#3 2023-06-06 08:00:57

Re: [SOLVED] Trust self signed certificate

#4 2023-06-06 08:31:57

Re: [SOLVED] Trust self signed certificate

#5 2023-06-06 10:03:04

Re: [SOLVED] Trust self signed certificate

#6 2023-06-07 05:48:57

Re: [SOLVED] Trust self signed certificate

#7 2023-06-07 07:24:37

Re: [SOLVED] Trust self signed certificate

#8 2023-06-08 11:16:19

Re: [SOLVED] Trust self signed certificate

Board footer