Welcome to the Power Users community on Codidact!
Power Users is a Q&A site for questions about the usage of computer software and hardware. We are still a small site and would like to grow, so please consider joining our community. We are looking forward to your questions and answers; they are the building blocks of a repository of knowledge we are building together.
How to deal with self-signed certificates in household devices
Devices come to my house with pre-installed self-signed certificates that apply to their management web UIs. Chrome issues a dire warning and requires extra clicks every time I visit one.
My primary system for communicating with these puppies (a NAS, two printers and some switches) is a Mac.
I've dabbled with Let's Encrypt certificates, but their relatively short lifetimes makes this painful, since none of them officially support any way to automatically update the certs.
Is there anything resembling a consensus on the least bad solution here? I can imagine:
- Adding the self-signed certs to the MacOS trust store.
- Using a different browser
- just living with the warning interstitial screens.
1 answer
I use my personal certificate authority (CA) for this. Using easy-rsa it's easier than it sounds.
There are tons of tutorials for this, so I just summarize it:
- install easy-rsa, it comes with every package manager I know.
- create a directory that holds your CA
- run
easyrsa init-pki - run
easyrsa build-ca
You will be asked some values and the necessary CA certificates are being generated.
You need to install the CA on all the devices you use to access other devices, computers, smartphones, tablets, etc, but you only need this once. The CA certificate should have a pretty long life span, 20 years by default IIRC. Note: Some programs, for example Firefox, have their own CA store, others use the OS store.
Now you can create certificate requests (csr) for it, one per device.
$ easyrsa gen-req myhost.example.com
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
Generating a RSA private key
...........................+++++
............................................................................................+++++
writing new private key to '/etc/pki/easy-rsa/pki/easy-rsa-7555.JtHhWc/tmp.6lTbPU'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [myhost.example.com]:
Keypair and certificate request completed. Your files are:
req: /etc/pki/easy-rsa/pki/reqs/myhost.example.com.req
key: /etc/pki/easy-rsa/pki/private/myhost.example.com.key
sign the CSR: easyrsa sign-req client myhost.example.com.ch
Now you have a certificate that you can import on your device, along with its key:
- /etc/pki/easy-rsa/pki/issued/myhost.example.com.crt
- /etc/pki/easy-rsa/pki/private/myhost.example.com.key
These certificates should be accepted as valid on all devices where you installed your CA certificates.
If you are really paranoid you can put the pki directory on an (encrypted) USB thumb drive, place it a a safe drawer and only take it out when you need to create a new certificate. You don't need it in the meantime.
0 comment threads
1 comment thread