This guide steps you through the process of setting up your workstation to trust the Certificate Authority (CA) of the ClearOS server for certificates. This is important so that you don't get prompted to have to trust an untrusted certificate. Moreover, it is important because if you get in the habit of clicking through failed certificate authentications then you might get dupped into a false one by a clever hacker.
Log into ClearOS' Webconfig as the user. Navigate to the User Certificate's page. Next to the 'Certificate Authority' entry, click <navigation>Download</navigation>.
Open your Downloads folder (or the location that you saved the file) and rename the file from ca-cert.crt to ca-cert.cer. This will change the icon for the file.
Open Certificate Manager by clicking the Start button. Type certmgr.msc in the Search box and then pressing <ENTER>. Next, navigate to the 'Certificates' folder located under the 'Trusted Root Certification Authorities' folder. Right-click on that folder and navigate to <navigation>All Tasks » Import</navigation>. Click <navigation>Import</navigation>.
This will start the import wizard where you will add your downloaded certificate to be trusted. When you get to the 'File to Import' section, browse to the location that you downloaded and renamed your certificate.
Double-click the ca-cert.cer file and click <navigation>Next</navigation>. It will ask you will ask you which container to place it in but since we have already navigated to the one we want, it should be filled in and selected. Press <navigation>Next</navigation>.
It will then state that it is ready to finish with similar information as you see here. Click <navigation>Finish</navigation>.
And just in case you thought that the word 'finish' meant finish, Windows 7 will prompt you one more time just to make sure you really, really want to do what you just told it to do. Review the information and click <navigation>Yes</navigation>.
Ok, so that works splendidly but let's suppose you have 120 workstations that all need to have this happen. Well, if you have Active Directory on hand, you can roll this change out to everyone on the domain.
First, repeat the steps for Windows 7 including the point where you download the .crt file and you rename it to .cer.
Now I'm going to blatantly plagarize here but he's quoted and cited at the end, so here we go:
“Now we are going to use Group Policy to make this certificate authority a trusted CA through out the domain. Open up the Group Policy Management MMC in the Administation Tools menu. I don’t know what your GPO settings are like, so for this example lets just set this up in the Default Domain Policy. Use your judgement on how this should be setup in your environment.
“Right click the Default Domain Policy and select Edit. This will open up the Group Policy Management Editor. Drill down in the option pane on the left. The path should be <navigation>Computer Configuration → Policies → Windows Settings → Security Settings </navigation>
<navigation> → Public Key Policies → Trusted Root Certification Authorities</navigation>.
Right click <navigation>Trusted Root Certification Authorities</navigation> and select Import. The import wizard starts up and we select <navigation>Next</navigation> to get started. Browse to the location of the certificate file that we saved.
“Click <navigation>Next</navigation> to accept this file. You will be prompted for a store to put the file in. Accept the default, which should be Trusted Root Certification Authorities. Click <navigation>Next</navigation> and <navigation>Finish</navigation>. You will get a window telling you that the import was successful. The certificate then shows up in the right pane as a trusted root CA.
“That’s it. You now have an internal CA for use in your network.” -Jason
Thanks, Jason.
It is easy to get ClearOS to be trusted by a Mac. This will get rid of annoying errors when you try to browse to Webconfig or use other Certificate based services.
Log into ClearOS' Webconfig as the user. Navigate to the User Certificate's page. Next to the 'Certificate Authority' entry, click <navigation>Download</navigation>.
Once that has downloaded, Open up Keychain access by navigating to <navigation>Applications → Utilities → Keychain Access</navigation>
Once you are in Keychain Access, Import the file by hitting <navigation>Shift+Command+I</navigation> or by clicking <navigation>File → Import Items</navigation>
Navigate to your Downloads folder, highlight the ca-cert.pem file and click <navigation>Open</navigation>.
You will be asked if you want to trust this certificate from now on. Review the material in the certificate to make sure that it is correct and press <navigation>Always Trust</navigation>.
You will be asked for your password to make this happen. Enter your credentials and press <navigation>Update Settings</navigation>.
Close Keychain Access and try your hand at browsing the ClearOS server.
Congratulations. You should be able to access your server without prompts indicating that trust if violated.
Copy the ClearOS ca-cert.pem certificate into /etc/pki/ca-trust/source/anchors/ and, perhaps, change the name from ca-cert.pem to something which relates to your server e.g. clearos-server-ca.cert.pem, then run the following command:
update-ca-trust extract
Restart any apps which need to use the new certificate.
Ok. If you've done all that and it still doesn't work, it could be that the certificate you are actually looking at is NOT signed by your CA. An example of this is Webconfig which self-signs a certificate when it sets up before the CA is ever involved. This can lead to it using the default certificate and not one derived from your own CA.
You can validate this by looking at the certificate itself:
You will note that our certificate is signed by system.domain.lan and not the name of the server which, for this example, is named gen3.clearos.com.
Webconfig's certificates are located in /usr/clearos/sandbox/etc/httpd/conf/. We will backup these certificates and then remove them when we are all done:
mkdir /usr/clearos/sandbox/etc/httpd/conf/temp mv /usr/clearos/sandbox/etc/httpd/conf/server.crt /usr/clearos/sandbox/etc/httpd/conf/temp/ mv /usr/clearos/sandbox/etc/httpd/conf/server.key /usr/clearos/sandbox/etc/httpd/conf/temp/
Next, we will create a certificate request and associated key for the server:
openssl req -new -newkey rsa:4096 -nodes -keyout /usr/clearos/sandbox/etc/httpd/conf/server.key -out /root/gen3.clearos.com.csr
With this request, I've created a new key file in the appropriate directory and created the Certificate request in the /root directory because it is not essential for the Webconfig web server service.
When you execute this command it will ask you a lot of questions. You should answer truthfully if you are a business but I'd recommend answering with bogus data if you are an individual (this information can be seen by the public if you have port 81 open). Here is what that looks like:
Generating a 4096 bit RSA private key ............................................................................................................++ ............................................................................................................++ writing new private key to '/usr/clearos/sandbox/etc/httpd/conf/server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:UT Locality Name (eg, city) [Default City]:Orem Organization Name (eg, company) [Default Company Ltd]:ClearCenter Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:gen3.clearos.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
I didn't place a password on the request because we aren't dealing with a third party that has to validate this (you are the authority here). What is most important here is the Common Name line. This should match your DNS name to the server exactly because if you don't use that in your browser it will still give you a certificate error (ie. Certificates are not for IPs).
To sign the Certificate Request (.csr) yourself, run the following:
openssl x509 -req -in /root/gen3.clearos.com.csr -CA /etc/pki/CA/ca-cert.pem -CAkey /etc/pki/CA/private/ca-key.pem \ -CAcreateserial -out /usr/clearos/sandbox/etc/httpd/conf/server.crt -days 3650
I've asked that the certificate be valid for 10 years using the -days flag (more than the life of the server). Of course, you can set the expiry to whatever value of days you wish.
You should get back the following response which should correlate with the information you gave earlier:
Signature ok subject=/C=US/ST=UT/L=Orem/O=ClearCenter/CN=gen3.clearos.com Getting CA Private Key
You can validate that your certificate and key file are now in the Webconfig webserver directory:
cat /usr/clearos/sandbox/etc/httpd/conf/server.crt cat /usr/clearos/sandbox/etc/httpd/conf/server.key
Next, fix up the permissions of the certificates:
chmod 600 /usr/clearos/sandbox/etc/httpd/conf/server.crt chmod 600 /usr/clearos/sandbox/etc/httpd/conf/server.key chown webconfig:webconfig /usr/clearos/sandbox/etc/httpd/conf/server.crt chown webconfig:webconfig /usr/clearos/sandbox/etc/httpd/conf/server.key
They should look like this:
ls -la /usr/clearos/sandbox/etc/httpd/conf/server.*
-rw------- 1 webconfig webconfig 1631 Apr 21 13:19 /usr/clearos/sandbox/etc/httpd/conf/server.crt -rw------- 1 webconfig webconfig 3268 Apr 21 13:09 /usr/clearos/sandbox/etc/httpd/conf/server.key
Now restart your webconfig service:
service webconfig restart
Next, point your browser of the computer which trusts the ClearOS CA to the DNS name of your ClearOS server and you should be good to go without certificate errors (in this case https://gen3.clearos.com:81).
You can also look at the certificate now and see that all is in order: