content:en_us:kb_o_trusting_ca_of_clearos_in_workstations

Trusting the Certificate Authority of ClearOS in Servers and Workstations

This guide steps you through the process of setting up your workstation to trust the Certificate Authority (CA) of the ClearOS server for certificates. This is important so that you don't get prompted to have to trust an untrusted certificate. Moreover, it is important because if you get in the habit of clicking through failed certificate authentications then you might get dupped into a false one by a clever hacker.

Windows 7

Log into ClearOS' Webconfig as the user. Navigate to the User Certificate's page. Next to the 'Certificate Authority' entry, click <navigation>Download</navigation>.

Open your Downloads folder (or the location that you saved the file) and rename the file from ca-cert.crt to ca-cert.cer. This will change the icon for the file.

Open Certificate Manager by clicking the Start button. Type certmgr.msc in the Search box and then pressing <ENTER>.‌ Next, navigate to the 'Certificates' folder located under the 'Trusted Root Certification Authorities' folder. Right-click on that folder and navigate to <navigation>All Tasks » Import</navigation>. Click <navigation>Import</navigation>.

This will start the import wizard where you will add your downloaded certificate to be trusted. When you get to the 'File to Import' section, browse to the location that you downloaded and renamed your certificate.

Double-click the ca-cert.cer file and click <navigation>Next</navigation>. It will ask you will ask you which container to place it in but since we have already navigated to the one we want, it should be filled in and selected. Press <navigation>Next</navigation>.

It will then state that it is ready to finish with similar information as you see here. Click <navigation>Finish</navigation>.

And just in case you thought that the word 'finish' meant finish, Windows 7 will prompt you one more time just to make sure you really, really want to do what you just told it to do. Review the information and click <navigation>Yes</navigation>.

AD and Group Policy

Ok, so that works splendidly but let's suppose you have 120 workstations that all need to have this happen. Well, if you have Active Directory on hand, you can roll this change out to everyone on the domain.

First, repeat the steps for Windows 7 including the point where you download the .crt file and you rename it to .cer.

Now I'm going to blatantly plagarize here but he's quoted and cited at the end, so here we go:

Import .cer to Group Policy

“Now we are going to use Group Policy to make this certificate authority a trusted CA through out the domain. Open up the Group Policy Management MMC in the Administation Tools menu. I don’t know what your GPO settings are like, so for this example lets just set this up in the Default Domain Policy. Use your judgement on how this should be setup in your environment.

“Right click the Default Domain Policy and select Edit. This will open up the Group Policy Management Editor. Drill down in the option pane on the left. The path should be <navigation>Computer Configuration → Policies → Windows Settings → Security Settings </navigation>

<navigation> → Public Key Policies → Trusted Root Certification Authorities</navigation>.

Drill down to the trusted CAs

Right click <navigation>Trusted Root Certification Authorities</navigation> and select Import. The import wizard starts up and we select <navigation>Next</navigation> to get started. Browse to the location of the certificate file that we saved.

Import the CA certificate

“Click <navigation>Next</navigation> to accept this file. You will be prompted for a store to put the file in. Accept the default, which should be Trusted Root Certification Authorities. Click <navigation>Next</navigation> and <navigation>Finish</navigation>. You will get a window telling you that the import was successful. The certificate then shows up in the right pane as a trusted root CA.

“That’s it. You now have an internal CA for use in your network.” -Jason

Thanks, Jason.

Mac OSX

It is easy to get ClearOS to be trusted by a Mac. This will get rid of annoying errors when you try to browse to Webconfig or use other Certificate based services.

Log into ClearOS' Webconfig as the user. Navigate to the User Certificate's page. Next to the 'Certificate Authority' entry, click <navigation>Download</navigation>.

Once that has downloaded, Open up Keychain access by navigating to <navigation>Applications → Utilities → Keychain Access</navigation>

Once you are in Keychain Access, Import the file by hitting <navigation>Shift+Command+I</navigation> or by clicking <navigation>File → Import Items</navigation>

Navigate to your Downloads folder, highlight the ca-cert.pem file and click <navigation>Open</navigation>.

You will be asked if you want to trust this certificate from now on. Review the material in the certificate to make sure that it is correct and press <navigation>Always Trust</navigation>.

You will be asked for your password to make this happen. Enter your credentials and press <navigation>Update Settings</navigation>.

Close Keychain Access and try your hand at browsing the ClearOS server.

Congratulations. You should be able to access your server without prompts indicating that trust if violated.

ClearOS 6/7, Centos 6/7, EL6/7

Copy the ClearOS ca-cert.pem certificate into /etc/pki/ca-trust/source/anchors/ and, perhaps, change the name from ca-cert.pem to something which relates to your server e.g. clearos-server-ca.cert.pem, then run the following command:

update-ca-trust extract

Restart any apps which need to use the new certificate.

Troubleshooting

Ok. If you've done all that and it still doesn't work, it could be that the certificate you are actually looking at is NOT signed by your CA. An example of this is Webconfig which self-signs a certificate when it sets up before the CA is ever involved. This can lead to it using the default certificate and not one derived from your own CA.

You can validate this by looking at the certificate itself:

You will note that our certificate is signed by system.domain.lan and not the name of the server which, for this example, is named gen3.clearos.com.

Webconfig

Webconfig's certificates are located in /usr/clearos/sandbox/etc/httpd/conf/. We will backup these certificates and then remove them when we are all done:

mkdir /usr/clearos/sandbox/etc/httpd/conf/temp
mv /usr/clearos/sandbox/etc/httpd/conf/server.crt /usr/clearos/sandbox/etc/httpd/conf/temp/
mv /usr/clearos/sandbox/etc/httpd/conf/server.key /usr/clearos/sandbox/etc/httpd/conf/temp/

Next, we will create a certificate request and associated key for the server:

openssl req -new -newkey rsa:4096 -nodes -keyout /usr/clearos/sandbox/etc/httpd/conf/server.key -out /root/gen3.clearos.com.csr

With this request, I've created a new key file in the appropriate directory and created the Certificate request in the /root directory because it is not essential for the Webconfig web server service.

When you execute this command it will ask you a lot of questions. You should answer truthfully if you are a business but I'd recommend answering with bogus data if you are an individual (this information can be seen by the public if you have port 81 open). Here is what that looks like:

Generating a 4096 bit RSA private key
............................................................................................................++
............................................................................................................++
writing new private key to '/usr/clearos/sandbox/etc/httpd/conf/server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:UT
Locality Name (eg, city) [Default City]:Orem
Organization Name (eg, company) [Default Company Ltd]:ClearCenter
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:gen3.clearos.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

I didn't place a password on the request because we aren't dealing with a third party that has to validate this (you are the authority here). What is most important here is the Common Name line. This should match your DNS name to the server exactly because if you don't use that in your browser it will still give you a certificate error (ie. Certificates are not for IPs).

If you are going to have a public root CA sign the file, they may want a password or optional company name. You can send them the .csr file and have them sign it for you.

To sign the Certificate Request (.csr) yourself, run the following:

openssl x509 -req -in /root/gen3.clearos.com.csr -CA /etc/pki/CA/ca-cert.pem -CAkey /etc/pki/CA/private/ca-key.pem \
    -CAcreateserial -out /usr/clearos/sandbox/etc/httpd/conf/server.crt -days 3650

I've asked that the certificate be valid for 10 years using the -days flag (more than the life of the server). Of course, you can set the expiry to whatever value of days you wish.

You should get back the following response which should correlate with the information you gave earlier:

Signature ok
subject=/C=US/ST=UT/L=Orem/O=ClearCenter/CN=gen3.clearos.com
Getting CA Private Key

You can validate that your certificate and key file are now in the Webconfig webserver directory:

cat /usr/clearos/sandbox/etc/httpd/conf/server.crt 
cat /usr/clearos/sandbox/etc/httpd/conf/server.key 

Next, fix up the permissions of the certificates:

chmod 600 /usr/clearos/sandbox/etc/httpd/conf/server.crt
chmod 600 /usr/clearos/sandbox/etc/httpd/conf/server.key
chown webconfig:webconfig /usr/clearos/sandbox/etc/httpd/conf/server.crt
chown webconfig:webconfig /usr/clearos/sandbox/etc/httpd/conf/server.key

They should look like this:

ls -la /usr/clearos/sandbox/etc/httpd/conf/server.*
-rw------- 1 webconfig webconfig 1631 Apr 21 13:19 /usr/clearos/sandbox/etc/httpd/conf/server.crt
-rw------- 1 webconfig webconfig 3268 Apr 21 13:09 /usr/clearos/sandbox/etc/httpd/conf/server.key

Now restart your webconfig service:

service webconfig restart

Next, point your browser of the computer which trusts the ClearOS CA to the DNS name of your ClearOS server and you should be good to go without certificate errors (in this case https://gen3.clearos.com:81).

You can also look at the certificate now and see that all is in order:

content/en_us/kb_o_trusting_ca_of_clearos_in_workstations.txt · Last modified: 2019/03/01 16:09 by NickH