Trusting self signed certificates - RHEL 6 - Apache

opethdisciple · 9 Mar 2017 at 11:37

Need some help on this one.

Work web application (intranet) uses Apache and some self signed certificates.

How do I get them to be trusted automatically in Chrome and Firefox? We don't want to manually ignore the warning the browser displays when you browse to the URL.

I've tried a few things and no luck so far.

Thanks

SMN · 9 Mar 2017 at 12:12

You'll have to manually import the certificate to be 'trusted' on each browser using it:
http://stackoverflow.com/questions/...e-to-accept-self-signed-localhost-certificate

Probably a way of automating it but i cant think of any at the moment im afraid.

opethdisciple · 9 Mar 2017 at 14:54

Tried that. Message I get is that the .crt file is not a ca authority.

beh · 9 Mar 2017 at 20:04

Have you tried importing it with certmgr? (Control panel > manage computer certificates)

Perhaps better to create a root CA and use that to sign any certificates you need. Slight faff initially but then you only need to import the root certificate, so would potentially save some time in future if creating any new certificates which you'd otherwise have to import individually.

opethdisciple · 10 Mar 2017 at 14:12

It appears we already have a root CA in an IPA server running on the system.

I've spent a while searching for information how to get the browsers to trust the server it's connecting too but no luck yet. The certificates in Apache are signed by the IPA server.

Just how to get the browser to trust it?

I was thinking of importing the IPA CA certificate in to the browser?

---

Well I imported Free IPA CA cert. It went in to chrome and 'looks like' it lists the CA correctly as trusted. However it still doesn't get rid of the warning message.

beh · 10 Mar 2017 at 14:50

opethdisciple said:
I was thinking of importing the IPA CA certificate in to the browser?

Yes, that would be the one to import.

If it doesn't work doing it in chrome/firefox then, as said, try certmgr as browsers will check the windows certificate store.

How many computers are you doing this for? For more than a couple and if you're on a domain perhaps save some time doing it with group policy.

opethdisciple · 10 Mar 2017 at 15:26

beh said:
Yes, that would be the one to import.

If it doesn't work doing it in chrome/firefox then, as said, try certmgr as browsers will check the windows certificate store.

How many computers are you doing this for? For more than a couple and if you're on a domain perhaps save some time doing it with group policy.

This is on RHEL 6 mate.

beh · 10 Mar 2017 at 16:19

Sorry, was assuming you meant it was the server with apache that was on RHEL. Sometimes difficult to imagine people not using windows for desktop.

Should simply be a case of copying the certificate to /etc/pki/ca-trust/source/anchors/ on each machine and running "update-ca-trust".

opethdisciple · 10 Mar 2017 at 17:44

beh said:
Sorry, was assuming you meant it was the server with apache that was on RHEL. Sometimes difficult to imagine people not using windows for desktop.

Should simply be a case of copying the certificate to /etc/pki/ca-trust/source/anchors/ on each machine and running "update-ca-trust".

Ohhh that's new! I ran the above but only on the server running the IPA. I didn't do it on the client!

Will try on Monday!

And yes it's a RHEL 6 server running chromium connecting to a Apache intranet page on another RHEL 6 server.

rexehuk · 11 Mar 2017 at 11:26

Ditch a self signed cert? No need for them

https://letsencrypt.org/

Only downside is doesn't support wildcard.

El Pew · 13 Mar 2017 at 09:58

rexehuk said:
Ditch a self signed cert? No need for them

This, but don't use a Let's Encrypt cert unless it needs to be accessible by non-domain joined machines. Put a proper certificate on there generated by your own CA and it should automatically be trusted by all your clients.