Securing access to a web page using a certificate

[destroyedlolo]

Hi all,

I would like to secure a webpage using a certificate but all the tutorials I've found are, or obsolete, or doesn't work.

So what I did based on this post :

1/ created a CA root key

[audiodef]

I used to use the DIY method, then I decided it was not worth the time and effort. I switched to using Letsencrypt for everything. It's free, recognized by browsers, and will save you time and frustration.
_________________
decibel Linux: https://decibellinux.org
Github: https://github.com/Gentoo-Music-and-Audio-Technology
Facebook: https://www.facebook.com/decibellinux
Discord: https://discord.gg/73XV24dNPN

[Hu]

As I understand the Let's Encrypt offering, they do not provide, nor plan to provide, client certificates. They provide server certificates to let a TLS server obtain a certificate matching its DNS name. They do not provide client certificates used to distinguish individuals within an organization.

destroyedlolo: if I were to guess based on the error message, Apache does not trust your CA, so it cannot verify certificates issued by that CA.

[destroyedlolo]

Hi,

It's looking to me the problem is not at Apache side but at Firefox one.
It seems it doesn't trust my CA despite I imported destroyedloloCA.pem.

I've tried to verify the chain using openssl, but it's complaining :

[John R. Graham]

[destroyedlolo]

I did another try with .crt and .cer certificates and they are all working.

[destroyedlolo]

Hi,

I'm not giving-up but ... despite many tries, I'm stuck at the same point
Any idea welcome

Best regards,

Laurent

[John R. Graham]

Hi Laurent,

Sorry; somehow this thread dropped off my radar.

A couple of things. A "trusted certificate" is one that the browser can chain up to a known root certificate. When you use the "openssl verify" you are supplying the root with the -CAfile argument. If you haven't supplied your root CA cert to Firefox then your root CA is not "known" and the results you're seeing are expected. You can install your root CA cert in Firefox in the Options / Privacy & Security / Certificates / View Certificates / Your Certificates / Import dialog. After installation of your root CA cert, that particular instance of Firefox will "trust" leaf certificates issued by your root CA.

However, other instances of Firefox will not know about your root CA, just as your instance does not now know about it now. That's why Firefox comes pre-installed with a selection of well known issuing CAs: so that web sites (and other servers that need a chain of trust) can acquire a leaf cert that is already trusted by the major browsers. In addition, the security techniques for strongly protecting your root CA are non-trivial. For most purposes other than a toy or hobby chain of trust, it's best to let the experts provide the leaf cert.

Does this help enough? If not, just ask.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.

[Ant P.]

It's possible, or at least used to be, to teach the browser to accept your CA (at your own risk: I hope you've set correct DNSname constraints in it) by importing it, after which all leaf certs it signs should be automatically recognised without prompting. I vaguely remember this being much harder in Chromium though, so be warned.

They deliberately make getting there a huge pain in the ass and as confusing as possible, because it's a cross-platform browser, one of the platforms is windows, and windows is a circus of criminals and idiots that constantly find new ways to invoke Murphy's law.


On the other hand, lf you want the cert to work in well-behaved system software, that's different: you put the CA certificate in /usr/local/share/ca-certificates/$yourname.crt and then run update-ca-certificates as root.

[destroyedlolo]

Thanks for your replies : I'll test next week and let you know.

And yes, client are both m$ and Unixes as my goal is to protect some webservice call