Own CA for Intranet server Certificat does not work

I followed this serie https://www.assono.de/blog/zweistufige-ca-infrastruktur-ein-server-zertifikat-erstellen to make an own CA, with my names, imported this to my MAC OS X 10.14.6 and made trusted Checked every step as in the description.
Created a server certificate sing from the CA and created a web site with ISPConfig 3.2.6 and in the SSL tab copied the certificate and the chain to teh corresponding fields everything from ---begin... to ----end...and save aft selecting the safe option from drop down. It's descriped here too ttps://www.namecheap.com/support/knowledgebase/article.aspx/10153/14/generating-a-csr-on-ispconfig/ too.
when I try to pen my site with https: (mit Chrom oder Safari) I get connection errors, http works.
I also tried a certificate made by ISPConfig on a second site, same problem
Can anybody help me thanks
Rainer

the error message
Diese Website kann keine sichere Verbindung bereitstellen
test.muekno.de hat eine ungültige Antwort gesendet.

ERR_SSL_PROTOCOL_ERROR

 

In the meantime I tried another solution https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/ that works better. I can go to the web site but I still get the warning. Exploring the certificate I see my root, marked as trusted by my MAC and below the server sertificate. from that everything looks good.
But there must be a posibility to get a trusted certificate for internal server by an own root CA that works without browser warnings
Rainer

 

I think browser warning will always be there for your case of own root CA and I think there is no other possibility except for you to accept and save it.

 

According to the first, the assomo solution and to others there must be a solution. In a lot of cases, big companies, univeritys etc. the will be intranet web servers and other things with wich you will communicate via https in case of security reasons. But the devices devices should not be reachable over the internet, so the is no possibility to get a let's encrypt certificate and it is not economically to buy certificates by some one providing a trusted CA.
In these cases normally a private CA ist created, the certs are provided to be downloaded by the user to be imported to their browsers, OS etc.

So f anyone here will have a working solution please let me know, a link, tip etc. will be apreciated
Rainer

 

The only free solution I know is LE but for that the device(s) must be connected to the internet but do not necessarily have to use http challenge to obtain its SSL certs as dns challenge is also available to do the same and more inclusive of wildcard SSL certs.

The other way, may be, the use of proxy with or without the combination of dns challenge but my knowledge amd experience in proxy is very limited especially in terms using it in obtaining LE SSL certs.

 

Partly success.
I followd https://gist.github.com/Soarez/9688998
created a CA and a wildcard cert and a chain for my domain
entered the key, cert and chain in the test website created with ISPConfig
install firefox as is has its one CA store and added the created CA and made ist trusted.
call the test website with https, it opend without any warning, looked on the certificate, the CA was marked OK trusted the wildcard certificate too.
the converted then pem formated CA cert to pfx (OS X needs this) and imported it in the keychain and marked it trustet. The I opend then website with safari, everythings OK, opens without a warning, examine the certs the root cert is marked ok and trusted the wildcard vert ist marked trusted.
added the key cert and chain to my other internal websites, can open them without any warning from firefox an safari.
But if i try to open any of them with chrom, chrome uses the OS X keychain as well so far I know) it gives me a warning until I come to the website.
And it shows me an unsecure. But if i examine the cert in chrome it tells me the CA is valid and trusted and the wiidcard cert ist valid.
Whats the hack ist there going wrong?
Thank for any hint
Rainer

 

I came accros this youtube video recently and I think what you are trying to achieve is mentioned in there.



The only gotcha that I can see is your networks must go under the same pfsense, meaning that they are managed an accessed locally, not externally.

 

Finaly found a working solution at https://gist.github.com/Soarez/9688998
but used the modified version from comment from "MacCliF commented on 10 May 2020"
You just habe to enter your data.
You just to do this for the CA part.
To simplify creating server certs I created the following script. Important I used .cnf instead of .conf as extension so you should recongnize in the CA part.
if the CA is created you must import this to your host OS and make ist trustet for browsers like safari or chrome etc. and to the browser itself for firefox etc. If you have OS X you have to convert it to .pfx

Code:

openssl pkcs12 -in your_name-ca.crt  -export -nokeys -out your_name-ca.pfx

Here is the script

Code:

#! /bin/bash
# Script to generate SSL certificates signed by private CA
# We need this to avoid browser wornings accessing intranet
# websites vi SSL
# this ist bases on https://gist.github.com/Soarez/9688998
# and the comment from "MacCliF commented on 10 May 2020"
# who compressed the based tutorial to the necessary and
# added .cnf files to make everything easier
# As the CA has to be created only once I did not make an extra script
# to create the CA and you should refer to the refenrenced article

# first we need to get all information
echo -e "\033[1m"
echo -e "\033[31mYou are about generating a new server certficate"
echo -e "is that what you want, continue (y/N) \033[0m"
read ok
if [ "$ok"  != "y" ] ; then
        echo -e "\033[31mleaving script!\033[0m"
        exit 1
fi
echo -e "\033[1mYou will be ask all needed information\033[30m"
echo -e "\033[1mEnter Servername: [test]\033[30m"
read server_name
# echo -e "\033[1myou entered \033[32m$server_name\033[30m"
echo -e "\033[1mEnter Domain: [example]\033[30m"
read domain_name
# echo -e "\033[1myou entered \033[32m$domain_name\033[30m"
echo -e "\033[1mEnter TLD: [org]\033[30m"
read tld_name
#echo -e "\033[1myou entered \033[32m$tld_name\033[30m"
# check certificate exists
if test -f  "$server_name"_"$domain_name"_"$tld_name".crt ; then
        echo  -e "\033[31m Certificate for $server_name.$domain_name.$tld_name exists\033[30m"
        echo  -e "\033[31m leaving script\033[30m"
        exit 1
else
        echo ""
        echo "Filenames created will be"
        key_filename="$server_name"_"$domain_name"_"$tld_name".key
        echo "$key_filename"
        csr_filename="$server_name"_"$domain_name"_"$tld_name".csr
        echo "$csr_filename"
        crt_filename="$server_name"_"$domain_name"_"$tld_name".crt
        echo "$crt_filename"
        req_filename=req."$server_name"_"$domain_name"_"$tld_name".cnf
        echo "$req_filename"
        bundle_filename="$server_name"_"$domain_name"_"$tld_name".bundle.crt
        echo "$bundle_filename"
        host_name="$server_name"."$domain_name"."$tld_name"
        echo -e "your full server name is:\033[32m" 
        echo $host_name
        echo -e "\033[0m"
        echo "correct? [y/N]"
        read ok
        if [ "$ok"  != "y" ] ; then
                echo -e "\033[31mleaving script!\033[0m"
                exit 1
        else
                echo -e "\033[31mcontinue createing certificate\033[0m"
        fi
fi
echo [ req ] > ./$req_filename
echo default_bits = 2048 >> ./$req_filename
echo default_keyfile = "$key_filename" >> ./$req_filename
echo encrypt_key = no >> ./$req_filename
echo default_md = sha256 >> ./$req_filename
echo prompt = no >> ./$req_filename
echo utf8 = yes >> ./$req_filename
echo distinguished_name = my_req_distinguished_name >> ./$req_filename
echo [ my_req_distinguished_name ] >> ./$req_filename
echo C=DE >> ./$req_filename
echo ST=Bayern >> ./$req_filename
echo L=Rednitzhembach >> ./$req_filename
echo O=IB Mueller-Knoche >> ./$req_filename
echo OU=IT >> ./$req_filename
echo CN="$host_name" >> ./$req_filename
echo [ my_extensions ] >> ./$req_filename
echo keyUsage=critical, digitalSignature, keyEncipherment >> ./$req_filename
echo basicConstraints=critical,CA:FALSE >> ./$req_filename
echo extendedKeyUsage=critical,serverAuth >> ./$req_filename
echo subjectAltName=@my_subject_alt_names >> ./$req_filename
echo subjectKeyIdentifier = hash >> ./$req_filename
echo [ my_subject_alt_names ] >> ./$req_filename
echo DNS.1 = "$host_name" >> ./$req_filename
echo "create CSR file"
#echo openssl req -new -out $csr_filename -config $req_filename
openssl req -new -out $csr_filename -config $req_filename
echo "create CRT file"
#echo openssl ca -config sign.ca.cnf -extfile $req_filename -extensions my_extensions -out $crt_filename -infiles $csr_filename
openssl ca -config sign.ca.cnf -extfile $req_filename -extensions my_extensions -out $crt_filename -infiles $csr_filename
echo "create bundle"
#echo cat $crt_filename mueller-knoche-ca.crt > $bundle_filename
cat $crt_filename mueller-knoche-ca.crt > $bundle_filename

i tested this with with certificates for different domains. That means the CA work for any domain. All what you have to do is enter the SSL key the SSL crt and the SSL Bundle in the fields on the SSL tab in ISPConfig and select save certificate in the drop down box and click Save.
Hope this will be usefull to somebody

Rainer

 

Securing an Intranet ISPConfig Panel. Create a certificate with the above method. Replace the content of ispserver.key in /usr/local/ispconfig/interface/ssl/ with the content of created private key and the content of the cert in /etc/ssl/certs/ the link /usr/local/ispconfig/interface/ssl/ispserver.crt points to with you new created cert. Restart apache and close and reopen the panel. you will see a trusted site
Hope it will usefull for someone

Rainer