QuArK007 BlogTechnik, Software und Co.

I was sick of getting security warning messages every time accessing my server. In the past I had set up a CA already, but cleaned up my virtual machines and so my root CA.

So I started over again and this time I backup every data twice. A good location is a password store (also capable of storing files, I am using KeepassXC for Windows).

I really liked the description I found on googling around. https://legacy.thomas-leister.de/eine-eigene-openssl-ca-erstellen-und-zertifikate-ausstellen/. It gave me a good idea of how a CA is working, what needs to be done once and what for every single certificate to create.

Creating the root CA I followed the instruction closely. Creating signed certificates for several services, I used an adapted way as single line:

openssl req -x509 -newkey rsa:4096 -keyout nextcloud-home-arpa.key -CA ca-root.pem -CAkey ca-key.pem -CAcreateserial -out nextcloud-home-arpa.crt -sha512 -days 36500 -nodes -subj "/C=CountryCode/ST=state/O=Location/OU=@home/CN=nextcloud.home.arpa" -addext "subjectAltName = DNS:nextcloud.home.arpa"

given the ca-root.pem and ca-key.pem are in the same location.

At first I had missed to add the altName option, and thus all browsers showed the security warning page.

Firefox is a bitch

I set up all services and added my public CA key to windows certificate store and browser stores, where required. But I did not get it to work with firefox. What every I did, no matter how often the cert was recreated, firefox always showed the security warning with the reason MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY. After some searching the internet I found the solution here:

https://superuser.com/questions/1789026/generate-certificate-without-basic-constraints

At first I only removed the first instance of the basicConstraings in the /etc/ssl/openssl.cnf. But there are some more. ALL need to be escaped to get it working.

Regenerate the certificate, replace the old one, restart the service and Firefox is working 🙂