punkwalrus (punkwalrus) wrote,

Installing a self-signed cert on a server, forcing Chrome on Linux to like it

This was such a pain in the ass, I wanted to save it for later.

Setup: I have a Debian server, running the browser Chrome. I had SSL problems for my Smoothwall firewall which didn't allow me to store passwords, nor could I go onto the site without "OMFG YOU ARE GOING TO AN UNTRUSTED SITE LOOK OUT!!!" errors from Chrome.

Given that I didn't want to shell out $50 for a real root cert, I needed to generate a self-signed cert because, well, the one that came with Smoothwall was mostly empty and stupid. I needed to do this anyway for my own educational purposes.

Step 1: Generate a Private Key
openssl genrsa -des3 -out smoothwall.server.key 2048

It asked me for a passphrase, so I chose password12345 (not really, but I am not telling you my real one which is 230 characters long, and not the same passowrd as my luggage)

Step 2: Generate a CSR (Certificate Signing Request)
openssl req -new -key smoothwall.server.key -out smoothwall.server.csr

Then I filled out this:
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Dementia
Locality Name (eg, city) [Newbury]:Paranoid
Organization Name (eg, company) [My Company Ltd]:Punadyne Labs
Organizational Unit Name (eg, section) []:Speculative Techology
Common Name (eg, your name or your server's hostname) []:smoothwall.localdomain
Email Address []:cforrester@gizmonic.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: [left blank]
An optional company name []: [left blank]

Step 3: Remove Passphrase from Key
I fucking hate it when sysadmins forget this step, and every damn time I have to restart the webserver, I have to enter in a passphrase. This removed the passphrase, but make sure that when you save it on the server, this file is set to only be readable by the root user!
cp smoothwall.server.key smoothwall.server.key.orginal.withpassphrase
openssl rsa -in smoothwall.server.key.original.withpassphrase -out smoothwall.server.key

Ideally, you should have these files and permissions:
$ ls -al
-rw-r--r-- 1 root root 745 Mar 10 12:19 smoothwall.server.csr
-rw-r--r-- 1 root root 891 Mar 10 13:22 smoothwall.server.key
-rw-r--r-- 1 root root 963 Mar 10 13:22 smoothwall.server.key.original.withpassphrase

Step 4: Generating a Self-Signed Certificate
At this point, normally you mail the CSR to some site that charges you $50 or more to generate a cert. But fuck that for a personal home network. I am self-signing for 5 years because after 5 years... well, I don't think this server/setup will last that long. Hell, I hope it survives the next reboot, I have it on an old Dell desktop.
openssl x509 -req -days 1825 -in smoothwall.server.csr -signkey smoothwall.server.key -out smoothwall.server.crt

Yes, that's what Verisign charges you $125 for doing. Oh, but they are "trusted." Whatevs.

Step 5: Installing the Private Key and Certificate
In this case, I had to check where Smoothwall stored its certs. I found the apache config, and noted these lines:
SSLEngine On
                SSLCertificateFile    /etc/httpd/server.crt
                SSLCertificateKeyFile /etc/httpd/server.key

I backed up those files in case something went horribly wrong (note, you should always do this), and then I copied my files over to there, renaming them "server.crt" and "server.key" so that everything matched. Yippie skippy. I couldn't figure out how to restart the web server itself, so I rebooted the box. Ha ha, fuck you, all who were on my network!

Step 6: Testing the cert
I looked in Chrome, which STILL said it was untrusted, and since Google Chrome in Linux doesn’t have a SSL certificate manager. Chrome for Linux relies on some "NSS Shared DB" which I am sure sounds clever to somebody. But I checked and made sure the new cert was no longer the generic Smoothwall "A Dooooyyyy" cert. Yep, Punkadyne Labs. Now I have to beat up Chrome.

Step 7: Installing the cert in some NSS Shared DB
Frankly, it was easier for me to load the site in Firefox (on a Windows machine), then export the cert as punkadyne.sslserver.crt.pem (PEM stands for "Privacy Enhanced Mail," I had to look this up, must be a legacy thing) and then copy it over to my Debian box. Them I imported it:
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "Smoothwall Server" -i punkadyne.sslserver.crt.pem

Then I had to restart Chrome. And voila! We are up and running. Chrome trusts the cert, I can store the password in my password cache, and life is bootyfull.

Note: If you get an unhelpful error like "certutil: could not add certificate to token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to database" you probably have done what I did: tried to install a certificate with the same name twice. You can find out if you did this with:

certutil -d sql:$HOME/.pki/nssdb -L

Certificate Nickname                                         Trust Attributes

Smoothwall Server                                            CT,, 

When I switched to a new firewall, I had to add it as a new name for the cert, "Smoothwall Server 3.1":

certutil -d sql:$HOME/.pki/nssdb -L

Certificate Nickname                                         Trust Attributes

Smoothwall Server                                            CT,, 
Smoothwall Server 3.1                                        CT,, 

What a wasted couple of hours tracking that one down.
Tags: browser, cert, chrome, debian, howto, install, linux, smoothwall, ssl, tech

  • 158 Days with no sugar

    Well, day 158. Thought I'd tell you how it was going. My first big hurdle was Balticon at the end of May, which came and went with little fuss. I…

  • More on sugar-free endurance test

    Like I said in my last post, I am not sure where I am going with this. I kind of expected this to be harder. That being said, I kind of don't want to…

  • Day 35 with no sugar

    I have had odd cravings. Like pineapple juice. I used to hate pineapple juice as a kid, and only barely tolerated it as an adult. Sour and bitter, I…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded