{"id":1094,"date":"2014-08-30T19:39:10","date_gmt":"2014-08-31T00:39:10","guid":{"rendered":"http:\/\/www.nathanhunstad.com\/blog\/?p=1094"},"modified":"2014-08-30T19:41:53","modified_gmt":"2014-08-31T00:41:53","slug":"setting-up-a-pki","status":"publish","type":"post","link":"http:\/\/www.nathanhunstad.com\/blog\/2014\/08\/setting-up-a-pki\/","title":{"rendered":"Setting up a PKI"},"content":{"rendered":"<p>Since <a href=\"http:\/\/www.nathanhunstad.com\/blog\/2014\/08\/adventures-in-networking-setting-up-a-home-network-with-edgeos\/\" target=\"_blank\">setting up my home network<\/a>, I\u2019ve been playing around with pieces of it. Today, when I was logging into the web interface of my EdgeLite Router, I noticed that dreaded red X through the https in Chrome, because Chrome didn\u2019t trust the default self-signed certificate that came with the router. Why not replace that default cert with one I\u2019ve signed myself, and import my signing cert as a trust certificate, thought I? So that\u2019s what I did today.<\/p>\n<p><!--more--><\/p>\n<p>To replace the certificate on an EdgeLite Router, I stumbled upon <a href=\"http:\/\/community.ubnt.com\/t5\/EdgeMAX\/Custom-SSL-Certificates\/td-p\/405628\" target=\"_blank\">this website<\/a>, which makes it sound pretty easy: replace the <span style=\"font-family: 'Courier New';\">\/etc\/lighttpd\/server.pem<\/span> file with a certificate file I\u2019ve generated myself. Of course, replacing it with a new self-signed cert wouldn\u2019t accomplish much, since I wanted to set up my own CA, so I had to back up a few steps, and start with creating a root certificate.<\/p>\n<p>To set up my root certificate, I followed <a href=\"http:\/\/blog.didierstevens.com\/2008\/12\/30\/howto-make-your-own-cert-with-openssl\/\" target=\"_blank\">this great tutorial<\/a> by Didier Stevens. First, I created a new root CA certificate. Then, I created an intermediate certificate that was signed by that CA. Why? In case that signing certificate was compromised, I could revoke that cert without having to revoke the root cert. Finally, I create a new cert for my router, signed by that intermediate certificate. I also exported that intermediate certificate in a PKCS12 format for importing into my Windows certificate manager. Simple, no?<\/p>\n<p>Unfortunately, it was not as simple as I hoped. When I did all of that, I still got the dreaded red X from Chrome. It turns out that my intermediate certificate was flagged as not allowed to sign other certificate, and thus the certificate chain was invalid. After some Googling, I <a href=\"http:\/\/openssl.6102.n7.nabble.com\/Question-about-exporting-user-certificate-files-to-pfx-td42371.html\" target=\"_blank\">found a lead<\/a>: apparently, my intermediate certificate was an X509v1 cert, which is not trusted for signing other certs. The solution is to create an X509v3 certificate with the right attributes, which can be used to sign other certificates. This is done by creating an extfile with the proper data, which I dutifully did. I signed the router certificate again and\u2026no dice.<\/p>\n<p>It turns out I had followed that last website too well: I had included in my extfile the line <span style=\"font-family: 'Courier New';\">basicConstraints=CA:FALSE<\/span>, which was preventing the intermediate certificate from being allowed to sign other certs. Changing that to <span style=\"font-family: 'Courier New';\">TRUE<\/span>, re-signing the router certificate, and re-exporting the chain in PKCS12 format finally led me to success. Sort of.<\/p>\n<p>In the end, Chrome still did not get rid of that red X. Although it did say that the certificate chain was valid and the site\u2019s identity had been validated by myself, the lack of a public audit trail left that red X in place. Short of getting a cert signed by a public CA, that error isn\u2019t going anywhere, so this is good enough. Incidentally, IE has no problem with my cert; Firefox flat-out refuses it, saying it can\u2019t validate the trust chain.<\/p>\n<p>This PKI setup will suffice for my internal websites, but it certainly is no substitute for a public chain of trust. Since I\u2019ve created my own root CA certificate, protecting that private key is a must: so far all I\u2019ve done is <span style=\"font-family: 'Courier New';\">chmod 000<\/span> on those files so only <span style=\"font-family: 'Courier New';\">root<\/span> can access them; obviously, in a production environment, you want to protect that root cert tighter than Fort Knox. It\u2019s a good learning experience, though, and from here on out I\u2019ll have the joy of maintaining my own internal PKI.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Since setting up my home network, I\u2019ve been playing around with pieces of it. Today, when I was logging into the web interface of my EdgeLite Router, I noticed that dreaded red X through the https in Chrome, because Chrome didn\u2019t trust the default self-signed certificate that came with the router. Why not replace that&hellip; <a class=\"more-link\" href=\"http:\/\/www.nathanhunstad.com\/blog\/2014\/08\/setting-up-a-pki\/\">Continue reading <span class=\"screen-reader-text\">Setting up a PKI<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[19],"tags":[260,251,259],"class_list":["post-1094","post","type-post","status-publish","format-standard","hentry","category-tech-2","tag-certificates","tag-edgeos","tag-pki","entry"],"aioseo_notices":[],"_links":{"self":[{"href":"http:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/1094","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/comments?post=1094"}],"version-history":[{"count":2,"href":"http:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/1094\/revisions"}],"predecessor-version":[{"id":1097,"href":"http:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/1094\/revisions\/1097"}],"wp:attachment":[{"href":"http:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/media?parent=1094"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/categories?post=1094"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/tags?post=1094"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}