Setup: I have a Debian server, running the browser Chrome. I had SSL problems for my Smoothwall firewall which didn't allow me to store passwords, nor could I go onto the site without "OMFG YOU ARE GOING TO AN UNTRUSTED SITE LOOK OUT!!!" errors from Chrome.
Given that I didn't want to shell out $50 for a real root cert, I needed to generate a self-signed cert because, well, the one that came with Smoothwall was mostly empty and stupid. I needed to do this anyway for my own educational purposes.
Step 1: Generate a Private Key
openssl genrsa -des3 -out smoothwall.server.key 2048
It asked me for a passphrase, so I chose password12345 (not really, but I am not telling you my real one which is 230 characters long, and not the same passowrd as my luggage)
Step 2: Generate a CSR (Certificate Signing Request)
openssl req -new -key smoothwall.server.key -out smoothwall.server.csr
Then I filled out this:
Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:Dementia Locality Name (eg, city) [Newbury]:Paranoid Organization Name (eg, company) [My Company Ltd]:Punadyne Labs Organizational Unit Name (eg, section) :Speculative Techology Common Name (eg, your name or your server's hostname) :smoothwall.localdomain Email Address :firstname.lastname@example.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : [left blank] An optional company name : [left blank]
Step 3: Remove Passphrase from Key
I fucking hate it when sysadmins forget this step, and every damn time I have to restart the webserver, I have to enter in a passphrase. This removed the passphrase, but make sure that when you save it on the server, this file is set to only be readable by the root user!
cp smoothwall.server.key smoothwall.server.key.orginal.withpassphrase openssl rsa -in smoothwall.server.key.original.withpassphrase -out smoothwall.server.key
Ideally, you should have these files and permissions:
$ ls -al -rw-r--r-- 1 root root 745 Mar 10 12:19 smoothwall.server.csr -rw-r--r-- 1 root root 891 Mar 10 13:22 smoothwall.server.key -rw-r--r-- 1 root root 963 Mar 10 13:22 smoothwall.server.key.original.withpassphrase
Step 4: Generating a Self-Signed Certificate
At this point, normally you mail the CSR to some site that charges you $50 or more to generate a cert. But fuck that for a personal home network. I am self-signing for 5 years because after 5 years... well, I don't think this server/setup will last that long. Hell, I hope it survives the next reboot, I have it on an old Dell desktop.
openssl x509 -req -days 1825 -in smoothwall.server.csr -signkey smoothwall.server.key -out smoothwall.server.crt
Yes, that's what Verisign charges you $125 for doing. Oh, but they are "trusted." Whatevs.
Step 5: Installing the Private Key and Certificate
In this case, I had to check where Smoothwall stored its certs. I found the apache config, and noted these lines:
SSLEngine On SSLCertificateFile /etc/httpd/server.crt SSLCertificateKeyFile /etc/httpd/server.key
I backed up those files in case something went horribly wrong (note, you should always do this), and then I copied my files over to there, renaming them "server.crt" and "server.key" so that everything matched. Yippie skippy. I couldn't figure out how to restart the web server itself, so I rebooted the box. Ha ha, fuck you, all who were on my network!
Step 6: Testing the cert
I looked in Chrome, which STILL said it was untrusted, and since Google Chrome in Linux doesn’t have a SSL certificate manager. Chrome for Linux relies on some "NSS Shared DB" which I am sure sounds clever to somebody. But I checked and made sure the new cert was no longer the generic Smoothwall "A Dooooyyyy" cert. Yep, Punkadyne Labs. Now I have to beat up Chrome.
Step 7: Installing the cert in some NSS Shared DB
Frankly, it was easier for me to load the site in Firefox (on a Windows machine), then export the cert as punkadyne.sslserver.crt.pem (PEM stands for "Privacy Enhanced Mail," I had to look this up, must be a legacy thing) and then copy it over to my Debian box. Them I imported it:
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "Smoothwall Server" -i punkadyne.sslserver.crt.pem
Then I had to restart Chrome. And voila! We are up and running. Chrome trusts the cert, I can store the password in my password cache, and life is bootyfull.
Note: If you get an unhelpful error like "certutil: could not add certificate to token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to database" you probably have done what I did: tried to install a certificate with the same name twice. You can find out if you did this with:
certutil -d sql:$HOME/.pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Smoothwall Server CT,,
When I switched to a new firewall, I had to add it as a new name for the cert, "Smoothwall Server 3.1":
certutil -d sql:$HOME/.pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Smoothwall Server CT,, Smoothwall Server 3.1 CT,,
What a wasted couple of hours tracking that one down.