getting Firefox/Chrome to trust your internal websites (internal Certificate Authority)

Part 1 — Create a Certificate Authority

mkdir -p /home/user/spaceballsCA/certs
openssl genrsa -aes256 -out spaceballsCA.key 2048
openssl req -x509 -new -nodes -key spaceballsCA.key -sha256 -days 1024 -out spaceballsCA.pem

Part 2 — install CA certificate into browsers and desktops

chrome://settings/certificates

Part 3 — generate Key and Cert for internal website

cd /home/user/spaceballsCA
vi csr.cnf
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C=US
ST=<INSERT STATE>
L=<INSERT CITY>
O=SpaceBalls, LLC
OU=Spaceballs CA
emailAddress=admin@spaceballs.com
CN = spaceballs
[alt_names]
DNS.1 = lonestar.spaceballs
DNS.2 = lonestar.spaceballs.ny
DNS.3 = lonestar.spaceballs.tx
DNS.4 = lonestar
DNS.5 = somesite.spaceballs
cd /home/user/spaceballsCAopenssl req -new -sha256 -nodes -out certs/lonestar.spaceballs.csr -newkey rsa:2048 -keyout certs/lonestar.spaceballs.key -config <(cat csr.cnf)
openssl x509 -req -in certs/lonestar.spaceballs.csr -CA spaceballsCA.pem -CAkey spaceballsCA.key -CAcreateserial -out certs/lonestar.spaceballs.crt -days 1024 -sha256 -extfile csr.cnf
openssl x509 -in certs/lonestar.spaceballs.crt -text -nooutCertificate:
Data:
Version: 3 (0x2)
Serial Number:
56:f1:d2:a9:3d:54:33:b8:cb:c0:24:d9:5b:cd:22:de:47:7a:f3:06
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = NY, L = New York, O = "Spaceballs, LLC", OU = Spaceballs CA, CN = spaceballs, emailAddress = admin@spaceballs.com
Validity
Not Before: Nov 22 20:03:45 2019 GMT
Not After : Sep 11 20:03:45 2022 GMT
Subject: C = US, ST = NY, L = New York, O = "Spaceballs, LLC", OU = Spaceballs CA, emailAddress = admin@spaceballs.com, CN = spaceballs
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:xc:b4:0c:b7:13:2a:cc:b1:dc:82:40:58:56:32:
6a:23:85:cb:e9:67:9a:8d:f1:c0:0a:54:ee:55:e5:
b8:5e:f9:2d:c4:88:f0:ec:56:e9:91:14:78:b5:b3:
92:74:e5:98:d0:7e:ed:fb:2a:25:58:e1:12:86:b4:
f4:0v:38:06:18:af:47:22:2b:59:f0:1a:00:9c:84:
b9:11:85:ba:e9:c3:b7:bc:78:e5:43:cd:46:9f:9a:
74:e3:69:62:42:15:f3:6c:dd:73:17:3f:e6:46:20:
9a:a3:b3:18:4e:fd:39:19:fd:fb:6e:f0:b7:38:03:
e9:12:a2:54:f0:60:93:37:21:4e:05:d3:82:c2:75:
61:d4:fa:2d:12:b3:82:8e:81:c3:60:13:a6:ab:c1:
01:d6:c1:4e:e2:24:b8:13:c6:7b:b1:a6:a4:57:47:
21:22:1b:0e:10:d7:fa:2c:06:84:6d:ca:7a:8e:fb:
46:fe:36:1c:18:5d:8e:77:76:c6:8c:a2:d4:cb:af:
d8:02:4f:e7:b4:4c:3d:57:4e:6d:b7:82:3a:f2:6a:
38:af:57:85:16:3e:2e:05:04:f0:4e:cd:1b:f0:bb:
4e:81:8f:80:00:77:4d:df:8b:50:80:48:41:7c:79:
17:3b:6b:c0:b4:ee:ae:23:90:4b:1a:ce:c9:fb:f4:
53:77
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:EC:AF:3B:86:ED:71:8D:8B:25:F2:FA:6D:D4:0F:F3:F0:D4:29:44:9B
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Subject Alternative Name:
DNS:lonestar.spaceballs, DNS:lonestar.spaceballs.ny, DNS:lonestar.spaceballs.tx, DNS:lonestar
Signature Algorithm: sha256WithRSAEncryption
22:61:bd:09:07:f1:3d:88:d3:29:3a:28:21:01:d2:93:d9:fc:
59:bf:1b:19:80:7b:81:b1:f4:3c:79:c5:eb:be:98:76:29:98:
19:a6:2f:78:51:a0:22:43:62:57:86:3a:2e:e3:3b:29:10:c7:
2e:94:73:bd:60:75:dc:79:a9:06:b6:ae:a5:0a:08:9d:fe:93:
35:4c:a1:75:42:0d:4f:4e:21:86:53:73:23:5a:f6:06:a2:7d:
60:33:63:63:61:80:5f:f3:cd:3f:d1:ef:34:1a:60:da:a7:96:
1e:6f:10:4e:de:48:cc:01:e6:d1:9b:f0:7b:53:9f:f7:92:c6:
aa:e8:e2:7e:0c:25:1a:89:71:a1:82:4a:31:70:a1:52:5f:d8:
78:0e:3b:16:15:59:67:55:88:96:ab:c4:5d:c2:7b:7e:89:e0:
32:7b:87:a9:46:38:85:41:8d:ef:e9:88:20:6d:0e:a9:be:b8:
60:6b:4f:47:8b:bc:25:54:62:0b:73:89:d3:2d:75:3d:cf:90:
1b:6c:3a:1d:a2:33:96:14:6e:7f:85:c6:52:8f:11:4f:3a:bd:
35:c9:f1:05:05:77:bb:80:4d:40:f4:18:6c:f5:0b:7b:4b:03:
b6:5a:5d:a8:d8:4a:27:b3:38:3c:07:c1:a2:c1:60:03:c8:78:
2a:ad:75:2b

Part 4 — configure web server to run with certificates

web1> cd /etc/httpd/conf.d
vi lonestar.conf
LoadModule  headers_module        /usr/lib64/httpd/modules/mod_headers.so#### LONESTARProxyRequests Off
RewriteEngine On
ErrorLog /var/log/httpd/lonestar_error.log
<VirtualHost *:80>
ServerName lonestar
ServerAlias lonestar.spaceballs
Redirect / https://lonestar
</VirtualHost><VirtualHost *:443>
ProxyPreserveHost On
ServerName lonestar
ServerAlias lonestar.spaceballs
ServerAlias lonestar.spaceballs.ny
ServerAlias lonestar.spaceballs.tx
SSLEngine On
SSLCertificateKeyFile /etc/ssl/certs/lonestar.key
SSLCertificateFile /etc/ssl/certs/lonestar.crt
AllowEncodedSlashes NoDecode
ProxyPass / http://localhost:5300/ nocanon
ProxyPassReverse / http://localhost:5300/
RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store