TLS certificate--can I make a fake CA?

CyberMinion

I have installed the ACME package, and will start playing with it. Let's Encrypt certainly is popular...certs for free--who can argue with that?

The path to my CA/cert list in FF is a bit different for me, using FF v65. It is Menu>Privacy & Security>Certificates>View certificates
In there, I can supposedly import my cert, but when I attempt to do so, it demands a decryption key for the certificate...which I don't happen to know. I tried the pfsense admin password, the cert's private key, and almost anything else i could think of...no luck.

Gertjan

@cyberminion said in TLS certificate--can I make a fake CA?:

it demands a decryption key for the certificate...which I don't happen to know. I tried the pfsense admin password, the cert's private key, and almost anything else i could think of...no luck.

When you had the password generated, you did not supply a password.
So there is : none. (nothing).

@cyberminion said in TLS certificate--can I make a fake CA?:

Let's Encrypt certainly is popular...certs for free--who can argue with that?

Not exactly free.
You need to have a 'real' domain name. Not something like pfsense.local but something like yourhomenetwork.tld and only a registrar can give you one for a small annual fee.
The thing is : Letenscrypt, and any other certificate authority can only give you a real cert for real domain names, because you can prove that you own that domain name. To make this even more clear : you can not ask a cert authority to give you a certificate for example biggest-us-bank.com because you do not own that domain. Read https://letsencrypt.org/getting-started/
Proving that you own a domain name can be done by setting up some DNS sub domain for that domain, or placing a file in the webroot, on the server where the A (AAAA) record points to, etc.
You have to read and learn what it is all about, choose your way of "proving" , and set things up. Many domain registrars have a way that Letsenscrypt can use to check that your are the owner.
Also checkout pfSense Packages => ACME for many questions, answers and common pitfalls.

Remember the words of @johnpoz said : maybe home made certs will do just fine ^^

I had to use a real cert, not for accessing the pfSense web GUI, but for my captive portal users.

@cyberminion said in TLS certificate--can I make a fake CA?:

I'm trying to soak up as much knowledge as possible

Ready to enter the cert dimension ? ;)

johnpoz

@cyberminion said in TLS certificate--can I make a fake CA?:

I could not find in either Firefox or Chromium how to view or edit CAs.

So since like 64 of firefox it can be set to trust the Windows cert store... But you still can import them the same as before..

Options
login-to-view

Chrome has always just used the OS cert store.. So just install the CA into windows.

You can also get there from chrome settings advanced...
login-to-view

CyberMinion

I added the cert. to Firefox's certificate store. However, FF now complains that it is self-signed (duh!) And still requires an exception.
Error:
x.x.x.x uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
The certificate is only valid for pfSense-5xxxxxxxxxxxx.

Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
(IPs and IDs changed to protect the guilty)

I tried using the domain name also, but of course, that is only in the local DNS resolver. I do have a proper domain name I could potentially use for ACME, at least, but I doubt there's a way for it to help with this. It looks rather like I am not going to be able to get a fuss-free connection using local setup only, unless as I originally asked, I can set up my own CA.

Gertjan

About Firefox and your own CA : https://www.google.com/search?client=firefox-b-d&q=firefox+self+signed+certificate+problem

So, it's possible - but some steps are needed. Check also, because you'll discover while reading there their might be huge risks. And that's why home-baken certs are out of business these days.

johnpoz

@cyberminion said in TLS certificate--can I make a fake CA?:

The certificate is only valid for pfSense-5xxxxxxxxxxxx.

You called your pfsense that? Or you are just using the out of the box self signed cert it creates..

That is not the same as creating a CA in pfsense, then creating a cert to use for your webgui - and trusting the CA... Those are not "self signed"

I have gone over this with multiple posts with pictures of exactly how to do this over the years... Its possible the posts images did not come through when moved to new forum software. If you like I can walk you through this yet again.. With pictures ;)

CyberMinion

@johnpoz

No, I did not name my pfsense that, I was obscuring the unique ID it currently uses. I am using a netgate box, which came with a predefined name. I have not changed it, so I didn't want to be posting the ID openly.

I am interested, but not finding your posts to which you are referring. Do you have a link to one such post, so you don't need to repost the whole thing?

jimp

The ID on the initial GUI cert isn't anything secret, it's only randomized so that your browser sees a unique certificate subject. Firefox especially dislikes having multiple certificates with the same subject line. The randomness helps keep that from being a problem.

johnpoz

@CyberMinion said in TLS certificate--can I make a fake CA?:

, so you don't need to repost the whole thing?

I don't think the images would of survived the forum update... I will put one together in the morning.. Only take a couple of minutes.

johnpoz

Ok here you go..

So create a new CA.

login-to-view

Download the CA cert to your machine.
login-to-view

Now create new CERT using that CA.
Give it a desc name, pick your new CA, put in the common name for your pfsense box, ie its fqdn you use to access it.. Mine is sg4860.local.lan Any other optional stuff you want to fill out.
Make sure you change it to server cert vs user cert
And SAN (alternate names) for your pfsense box, or any other device your going to install this server cert on. Make sure you add the FQDN SAN.. Many browsers now require this not just the common name on the cert.
You can even put in your IP if you want to be able to hit the IP as trusted.

login-to-view

Install the newCA as trusted in your browser - this is firefox
login-to-view

Change pfsense gui to use the new cert signed by your newca
login-to-view

And there you go bing bang your trusting your pfsense gui, green and pretty.
login-to-view

And you can even use the the IP to get to it still trusted and green
login-to-view

Now your good for as long as you made the cert for - 10 years should be good ;)

Any questions just ask..

While its a lot of pics and looks like a lot of steps.. Its really only couple of mins tops!

Now your shiny new CA, can sign off on any boxes you want to put certs... Any browser that trusts your CA will trust any certs signed by your ca, IE, FireFox, Chrome, Opera, etc.. Even your mobile devices browsers can trust your CA.

This one time thing for any devices that devices under your control will access. But this sort of setup is not good for when the public are large groups of devices/browsers you do not control - or are not willing to trust your CA, etc. But since say the pfsense gui should only be accessed by "admins" of your firewall.. Say YOU only then this is simple solution that is one time thing and then good for years and years.

SwissSteph

@johnpoz

Hello johnpoz,

I'm bringing up this old but very topical subject.

Thank you for your explanations and screenshots. Thanks to that, I finally understand how a certificate works.

I have one question though.

I tried to do the same thing, taking the "CA" then creating a "CERT" for my "UCK_Gen2-Plus" using its IP address (192.168.1.49) ... but impossible to connect to it without the famous message

login-to-view

login-to-view

Do you have any ideas or tips on how to do this?

Thanks for your help

johnpoz

@SwissSteph I posted my instructions I use in the other thread where this came up. I don't have the unifi hardware, I just run it as a VM to run the controller. Its quite possible there is some other procedure on their little device to use a different cert.. You might want to get on their forums and docs for specific instructions for there uck..

I found these instructions on their forums - and seems the different method with just changing out the pems and not in a store..

https://community.ui.com/questions/How-to-replace-default-SSL-certificate-on-UCK-G2-with-UniFi-OS/7fc780b3-5585-45af-bbe2-ce8b4d712c84

I would be happy to help - but I don't have that device to play with..

SwissSteph

@johnpoz

Thank you for your reply, it's really nice of you to help us.

I'll try to search and find it. If I find a solution I'll come here and share it!

Thanks again

johnpoz

@SwissSteph happy to help, even when its not pfsense thing.. I can tell you the unifi controller needs a lot of work in some areas.. It only supports tls 1.2 which is crazy with tls 1.3 being out for like 5 years.. Changing the cert is horrible painful.. It should just be simple gui - can tell you the omada controller is just gui to change the cert, and supports tls 1.3

And another thing that bugs me is the AP themselves are using a very dated version of dropbear for ssh access.. It really should be updated..

Shoot even my really old printer allows for gui changing of the cert used to access its webgui..

login-to-view

SwissSteph

@johnpoz

I thought I'd made a "good choice" by buying "switches", "cameras" and "WiFi antennas" ... I see that they still have a lot of work to do, and I also wonder about the safety of their environment.

Right now, I don't have the money to change everything, and besides, it's working, so I can relax a bit, but I'm still really wondering.

Reliability (one camera broke down in less than 12 months), security (as you point out) and the slowness of reaction to simply implement an interface for what we're talking about.

I wanted to thank you again for all your help and advice, I really appreciated it.

johnpoz

@SwissSteph said in TLS certificate--can I make a fake CA?:

security (as you point out)

I was just pointing out things that bug me about what they work on.. It has been asked for years for easier way to update the ssl cert.. A self signed cert is really just as secure as signed one.. From a encryption point of view.. And tls 1.3 should of been deployed years ago - not like that hasn't been asked countless times on their forums as well..

I am not aware of any exploits to the ssh version they are running on the AP, and they should never be exposed to anyone/thing that would even attempt to exploit them in the first place via ssh. But they update the firmware on the AP all the time, how hard would it be to update dropbear to the current version? If they can not because of some limitation in specific AP hardware, etc. then why don't they state that - its been asked on their forums multiple times about updating it.

Never been a fan of their switches - I did get the little flexmini switch to play with, which does work, and is tiny as hell, and love the it can be powered via poe.. It does have some use cases for sure, and the price is very reasonable.. Just not a fan of how they allow the user to manage and what feature set is on them..

I have been using their APs for many years, and to be honest they have been pretty rock solid.. I have never seen any real issues with their AP from a provide wifi point of view.. And one point I was tempted to start deploying their cameras - but still getting around to camera deployment.. I do want to put some up.. But prob wont be unifi, there are some much cheaper options for sure, with better/more features. I always just keep putting it off, tell myself I will do it in the spring when the attic isn't so hot to run the wires.. Then next thing I know its too hot up there and never ordered them, then I say oh in the fall - and next thing you know its snowing ;)

As to your adoption - are all your devices on the same L2 network as the controller.. If you have any sort of network segmentation and they are not on the same L2 network you do have to do some extra work with L3 adoption, etc.

I would still recommend certain APs of theirs - but not a fan of the cost of some of their new ones that are wifi 6, but only have gig interfaces.. Why they didn't just go with a 2.5ge interface is crazy - you have to get a very expensive enterprise model to get 2.5ge interface on them.. Wifi 7 is just around the corner, so unless my APs die I prob won't be updating them until then.. And if one of mine did die, I have flexHD AP just sitting on my self that I could leverage until figure out what I want to move to.. It might be the omada line - the price on their wifi 6 ap with 2.5ge interface is very reasonable..

SwissSteph

@johnpoz

Hello,

Thank you for these complete explanations, which reassure me a little :-)

I don't have Wifi 6, only Wifi 5 with their antenna. I've had problems adopting my cameras when everything was on the same network.

Once seen and once not, mainly when I received a new one from them because mine was broken under warranty. I'm not ruling out the possibility of inexperience on my part, which could have caused me to make a mistake, but I still doubt it.

But now that I've (thanks to this forum and the help you've given us) set up a VLAN for my cameras, it seems to be working.

To sum up, on the whole I'm managing, it's just that I'm not really confident any more since my camera (7-8 months of use and fixed warm inside) suddenly refused to work.

johnpoz

@SwissSteph said in TLS certificate--can I make a fake CA?:

suddenly refused to work.

Things die, all things die.. Maybe you just unlucky - since it was less than a year, should be able to get warranty replacement.. When it sucks is when something dies a few days out of warranty..

edit:
Just looked my APs are from 2016, all 3 still going fine a uap-ac Pro, Lite and LR.. Knock on wood I just didn't jinx myself ;)

SwissSteph

@johnpoz

Yes, they replaced it for me, but it's very complicated to get the parcel sent to another country, customs problems at home, etc.
In the end, I was lucky (but also lost confidence) and got a new G3 Flex.