I am developing web app using Spring Boot and React. I want to deploy it on local server and make it accessible only through local network, but I want to make it secure, so I need SSL certificate to enable HTTPS. If I use self-signed certificate then I get error on clients browsers (not secure), because this certificate is not in their trust store. Is there any way to get certificate for localhost, I think that Let's Encrypt don't give certificates for localhost?
Generate Self signed root CA certificate.
Install your root CA in all client machines (enterprises root)
sign certificate with your root ca and install in web server
this certificate will be trusted.
Related
I have a 3rd party development tool that was written in Golang. My company uses Netskope which injects self-signed certificates in any SSL traffic from my machine so they can monitor all traffic for security purposes. The application is failing with the error
"self signed certificate in certificate chain" when it tries to connect out to a site on the public internet, I assume because of these self-signed certificates in the chain
I found some comments that say the logic for certification verification on Windows can be found in https://go.dev/src/crypto/x509/root_windows.go, but I cannot find any documentation for Windows about this (only Linux). From looking at that code, my understanding is I need to have the CA certification set up in the local machine store as a Trusted Root CA but that isn't working for me. The screenshot here shows the CA certificates in my Local Machine trusted root CA store. I deploy to Linux containers, in JVM or other applications to allow them to trust these self-signed certificates.
Am I doing something wrong in setting up the CA certs in my Certificate Store? Is there any documentation on this? Is there another way I can configure on Windows any Golang application running on my machine to trust the CA for these self-signed certificates? I see on Linux you can similarly add the CA to your store, or use environment variables SSL_CERT_FILE and SSL_CERT_DIR, and I've been able to do this for other Golang applications in Linux containers.
I want to have a certificate that has a different CA cert for it.
Reason? - For self signed certs, most browsers handle this as a invalid certificate. I know I can ignore those warnings but I just don't want to get them in the first place.
I tried googling how to create such a certificate but found so many sites where only a self signed certificate is created.
Therefore, how can such a certificate + CA certificate be generated and is there a better synonym for such a certificate pair?
If you need certificate signed by trusted CA there are two options:
You can get free letstencrypt certificate.
This certificate will work everywhere, not only your testing machine.
To get such certificate you need to own (e.g. buy) some domain, so you can pass certbot ownership challenge.
If you need to test local server, you can get certificate for subdomain (e.g. local-test.example.com is subdomain of example.com) and map that subdomain to 127.0.0.1 in /etc/hosts.
For purpose of local testing, certificate signed by self-signed CA can be sufficient.
Google Chrome and most other applications will accepts such certificate after you install/trust your self-signed CA (some applications may require restart).
There are some convenient tools written in go and js.
I am trying to connect to my webserver with Android apps which are using okhttp. The webserver is using an SSL certificate signed by my own personal CA. The CA is added to the phone/tablet, but I get the following error:
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
The server contains the complete certificate chain. Should this work in principle? Does okhttp trust added personal CAs?
The https connection works without problems in the browser and other apps not using okhttp.
I deploy my CA cert via GPO into Trusted Root Certification Authorities, which I can see is deployed to my client machines. I know this part is working as Chrome no longer moans when browsing to sites using my signed SSL certs.
However, when I try and git clone or push to any repositories behind an SSL cert signed by this CA, git-for-windows bawlks and says this:
schannel: next InitializeSecurityContext failed: Unknown error
(0x80092012) - The revocation function was unable to check revocation
for the certificate.
As you can see, I've got schannel enabled, but git-for-windows is clearly not reading my CA cert from the Certificate Store in Windows. Any one know how I make gfw read from the Certificate Store in Windows? I can't manually copy this cert onto all my Windows clients, that'd take forever.
Perhaps worth noting I'm using multiple Samba 4 instances as Domain Controllers, but I don't have access to Windows Server tools such as AS Certificate Services.
nb. I know I can disable tls verification, but that surely defeats the purpose.
I am trying to make websocket connection to a backend server that uses a self-signed certificate. In firefox I've added an exception for the self-signed cert.
However my websocket connection wss:// fails to connect. I get a close event with code 1006 which is a catch all code.
Chrome and IE websockets work. Since I am using windows, I've installed the cert using certmgr.exe as a trusted cert.
My guess right now is that firefox websockets do not work with certificate exceptions and need to be trusted.
Has this scenario worked for anyone else?
Just in case it could help anyone, what is mentioned in OP's answer is not true at this time of writing (v61.0.1).
I navigated to the address of my WS server using https, as any WS server is practically an HTTP server, then the usual invalid certificate screen appeared and allowed me to add an exception. After that any wss connection made to the same host and port is successful.
Firefox works with secure websockets (wss://) only when the certificate of the site is trusted.
With a self-signed certificate I was able to browse the site by adding an exception to the certificate. The exception is not used for websockets and the connection was dropped during the ssl handshake.
Instead I created my own Root CA cert and then another signed cert for the webserver. In Options > View Certificates > Authorities I imported the Root cert. Now firefox is able to connect over secure websockets without any issue.
Firefox does not allow for importing of self-signed certs as Authorities. Windows Certificate manager allows importing of self signed certs into the "Trusted Root Certificate Authorities" list.