0

I've been reading a lot about SSL certificate as of late and trying to get my localhost services to have SSL certificates to avoid warnings and whatnot. These services are 100% local, their ports are NEVER exposed to the outside.

I understand that it's not possible for a CA to issue certificates for localhost domains and that one of my choices is a self-signed certificate. I've created one for "host.domain.home" and now I have a green lock on Firefox but with a small yellow warning symbol and I get a warning when I first try to access this server (because it was not issued by a certified CA). Understandable.

Is it possible to get the warning gone? I tried to install the certificate into the Trusted Root Certification Authorities on Windows and the same on Firefox certificates manager. But I still get the warning.

Is it possible to "workaround" this somehow?

rfgamaral
  • 940
  • 2
  • 11
  • 18
  • 2
    Consider there is by definition just one client, have you considered making your own CA and telling the server (in its capacity as client) to trust it? – MadHatter Oct 18 '17 at 09:07
  • 2
    I think that self-signed certificates result in warning messages and that the solution is to run your own CA, use that to sign your certificate and loading the public key for your CA in the trusted CA store ought to remove the warning. – HBruijn Oct 18 '17 at 09:07
  • @HBruijn great minds think alike :) ! – MadHatter Oct 18 '17 at 09:22
  • @MadHatter They do indeed! :) – HBruijn Oct 18 '17 at 09:27
  • Yes, I've crossed such solution of running my own CA but I'm not sure how that would work. I mean, I would have to install my Root CA certificate into Windows/Firefox, correct? And that would be enough for the intermediate certificate (signed by that root CA) to be "fully trusted" by Firefox and show the green lock without warnings? – rfgamaral Oct 18 '17 at 09:33
  • That is correct. When an application trusts a CA, it trusts them, whether it's Verisign's CA or Ricardo's House Of Shonky Certificates' CA. – MadHatter Oct 18 '17 at 09:34
  • But I'm still confused, what's the difference between a Root CA installed as a CA on my machine and self-sign an intermediate certificate with that Root CA and install a single self-signed directly into the Root CA? Why one would show warnings while the other doesn't? – rfgamaral Oct 18 '17 at 09:34
  • It's difficult to answer that question because (*inter alia*) "*install a single self-signed directly into the Root CA*" doesn't make any sense. This is not the right place for a general primer on SSL; consider trying it, and you might learn what the difference between "*trust this certificate for this site*" and "*trust this CA (for all certificates)*" is. – MadHatter Oct 18 '17 at 09:36
  • I've just tried what you guys recommended and was successful, but please read my answer below. Thank you very much. – rfgamaral Oct 18 '17 at 14:03

1 Answers1

0

Given the suggestions above in the comments section I went ahead and create my own CA to be used locally only. I followed the following tutorial for that:

https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/

This article is a bit old (2012) but it's still up to date minus one minor inconvenience. The problem is with Google Chrome from versions 58 and up. Before going ahead and generate your keys and certificates, check this question:

https://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-signed-certificate-with-subjectaltname-using-openssl

Thank you @MadHatter and @HBruijn. If any of you want to provide an up-to-date tutorial instead of the links above, I'll gladly mark that answer as accepted, otherwise I'll mark this one. I know links like these are not preferred (because they may break in the future and this answer will lose it's value) but I personally don't have the time to type a great answer with all the steps. Sorry for that.

rfgamaral
  • 940
  • 2
  • 11
  • 18