TLS certificate--can I make a fake CA?
-
No, I did not name my pfsense that, I was obscuring the unique ID it currently uses. I am using a netgate box, which came with a predefined name. I have not changed it, so I didn't want to be posting the ID openly.
I am interested, but not finding your posts to which you are referring. Do you have a link to one such post, so you don't need to repost the whole thing?
-
The ID on the initial GUI cert isn't anything secret, it's only randomized so that your browser sees a unique certificate subject. Firefox especially dislikes having multiple certificates with the same subject line. The randomness helps keep that from being a problem.
-
@CyberMinion said in TLS certificate--can I make a fake CA?:
, so you don't need to repost the whole thing?
I don't think the images would of survived the forum update... I will put one together in the morning.. Only take a couple of minutes.
-
Ok here you go..
So create a new CA.
Download the CA cert to your machine.
Now create new CERT using that CA.
Give it a desc name, pick your new CA, put in the common name for your pfsense box, ie its fqdn you use to access it.. Mine is sg4860.local.lan Any other optional stuff you want to fill out.
Make sure you change it to server cert vs user cert
And SAN (alternate names) for your pfsense box, or any other device your going to install this server cert on. Make sure you add the FQDN SAN.. Many browsers now require this not just the common name on the cert.
You can even put in your IP if you want to be able to hit the IP as trusted.
Install the newCA as trusted in your browser - this is firefox
Change pfsense gui to use the new cert signed by your newca
And there you go bing bang your trusting your pfsense gui, green and pretty.
And you can even use the the IP to get to it still trusted and green
Now your good for as long as you made the cert for - 10 years should be good ;)
Any questions just ask..
While its a lot of pics and looks like a lot of steps.. Its really only couple of mins tops!
Now your shiny new CA, can sign off on any boxes you want to put certs... Any browser that trusts your CA will trust any certs signed by your ca, IE, FireFox, Chrome, Opera, etc.. Even your mobile devices browsers can trust your CA.
This one time thing for any devices that devices under your control will access. But this sort of setup is not good for when the public are large groups of devices/browsers you do not control - or are not willing to trust your CA, etc. But since say the pfsense gui should only be accessed by "admins" of your firewall.. Say YOU only then this is simple solution that is one time thing and then good for years and years.
-
G Gertjan referenced this topic on
-
J johnpoz referenced this topic on
-
J johnpoz referenced this topic on
-
Hello johnpoz,
I'm bringing up this old but very topical subject.
Thank you for your explanations and screenshots. Thanks to that, I finally understand how a certificate works.
I have one question though.
I tried to do the same thing, taking the "CA" then creating a "CERT" for my "UCK_Gen2-Plus" using its IP address (192.168.1.49) ... but impossible to connect to it without the famous message
Do you have any ideas or tips on how to do this?
Thanks for your help
-
@SwissSteph I posted my instructions I use in the other thread where this came up. I don't have the unifi hardware, I just run it as a VM to run the controller. Its quite possible there is some other procedure on their little device to use a different cert.. You might want to get on their forums and docs for specific instructions for there uck..
I found these instructions on their forums - and seems the different method with just changing out the pems and not in a store..
I would be happy to help - but I don't have that device to play with..
-
Thank you for your reply, it's really nice of you to help us.
I'll try to search and find it. If I find a solution I'll come here and share it!
Thanks again
-
@SwissSteph happy to help, even when its not pfsense thing.. I can tell you the unifi controller needs a lot of work in some areas.. It only supports tls 1.2 which is crazy with tls 1.3 being out for like 5 years.. Changing the cert is horrible painful.. It should just be simple gui - can tell you the omada controller is just gui to change the cert, and supports tls 1.3
And another thing that bugs me is the AP themselves are using a very dated version of dropbear for ssh access.. It really should be updated..
Shoot even my really old printer allows for gui changing of the cert used to access its webgui..
-
I thought I'd made a "good choice" by buying "switches", "cameras" and "WiFi antennas" ... I see that they still have a lot of work to do, and I also wonder about the safety of their environment.
Right now, I don't have the money to change everything, and besides, it's working, so I can relax a bit, but I'm still really wondering.
Reliability (one camera broke down in less than 12 months), security (as you point out) and the slowness of reaction to simply implement an interface for what we're talking about.
I wanted to thank you again for all your help and advice, I really appreciated it.
-
@SwissSteph said in TLS certificate--can I make a fake CA?:
security (as you point out)
I was just pointing out things that bug me about what they work on.. It has been asked for years for easier way to update the ssl cert.. A self signed cert is really just as secure as signed one.. From a encryption point of view.. And tls 1.3 should of been deployed years ago - not like that hasn't been asked countless times on their forums as well..
I am not aware of any exploits to the ssh version they are running on the AP, and they should never be exposed to anyone/thing that would even attempt to exploit them in the first place via ssh. But they update the firmware on the AP all the time, how hard would it be to update dropbear to the current version? If they can not because of some limitation in specific AP hardware, etc. then why don't they state that - its been asked on their forums multiple times about updating it.
Never been a fan of their switches - I did get the little flexmini switch to play with, which does work, and is tiny as hell, and love the it can be powered via poe.. It does have some use cases for sure, and the price is very reasonable.. Just not a fan of how they allow the user to manage and what feature set is on them..
I have been using their APs for many years, and to be honest they have been pretty rock solid.. I have never seen any real issues with their AP from a provide wifi point of view.. And one point I was tempted to start deploying their cameras - but still getting around to camera deployment.. I do want to put some up.. But prob wont be unifi, there are some much cheaper options for sure, with better/more features. I always just keep putting it off, tell myself I will do it in the spring when the attic isn't so hot to run the wires.. Then next thing I know its too hot up there and never ordered them, then I say oh in the fall - and next thing you know its snowing ;)
As to your adoption - are all your devices on the same L2 network as the controller.. If you have any sort of network segmentation and they are not on the same L2 network you do have to do some extra work with L3 adoption, etc.
I would still recommend certain APs of theirs - but not a fan of the cost of some of their new ones that are wifi 6, but only have gig interfaces.. Why they didn't just go with a 2.5ge interface is crazy - you have to get a very expensive enterprise model to get 2.5ge interface on them.. Wifi 7 is just around the corner, so unless my APs die I prob won't be updating them until then.. And if one of mine did die, I have flexHD AP just sitting on my self that I could leverage until figure out what I want to move to.. It might be the omada line - the price on their wifi 6 ap with 2.5ge interface is very reasonable..
-
Hello,
Thank you for these complete explanations, which reassure me a little :-)
I don't have Wifi 6, only Wifi 5 with their antenna. I've had problems adopting my cameras when everything was on the same network.
Once seen and once not, mainly when I received a new one from them because mine was broken under warranty. I'm not ruling out the possibility of inexperience on my part, which could have caused me to make a mistake, but I still doubt it.
But now that I've (thanks to this forum and the help you've given us) set up a VLAN for my cameras, it seems to be working.
To sum up, on the whole I'm managing, it's just that I'm not really confident any more since my camera (7-8 months of use and fixed warm inside) suddenly refused to work.
-
@SwissSteph said in TLS certificate--can I make a fake CA?:
suddenly refused to work.
Things die, all things die.. Maybe you just unlucky - since it was less than a year, should be able to get warranty replacement.. When it sucks is when something dies a few days out of warranty..
edit:
Just looked my APs are from 2016, all 3 still going fine a uap-ac Pro, Lite and LR.. Knock on wood I just didn't jinx myself ;) -
Yes, they replaced it for me, but it's very complicated to get the parcel sent to another country, customs problems at home, etc.
In the end, I was lucky (but also lost confidence) and got a new G3 Flex.
