Skip to content

HTTPS and SSL Certificates

Jump to bottom
Jean-Michel DECORET edited this page Sep 28, 2022 · 21 revisions

Introduction

Setting up https and securing exchanges rely on certificates.

To use HTTPS mode you need to provide a certificate.

There is many solutions:

  • Buy a certificate from a certificate authority
  • Use "Let's Encrypt" (provide certificate for free)
  • Generate your personal certificate (free)

Architecture

First Yadoms server uses a certificate which is signed/deliveed by a certificate authority.

flowchart TB
    subgraph Server
    CA-- signs -->SERVER_CERTIFICATE
    YadomsServer-. uses .->SERVER_CERTIFICATE
    end
Loading

When a client (web browser) connects to Yadoms, the server certificate is exchanged. Then the browser checks the certificate, verifying if the certificate authority is known. If the certificate is signed by a known certificate authority, then browser accepts connection. Else connection is not sure and browser does not allow access (or with red warnings)

flowchart TB
    subgraph client
    Browser-. connects .->YadomsServer-->SERVER_CERTIFICATE-. signed by .->CA
    Browser-. checks if CA is known on client side.->CA
    end
Loading

Generate a personal certificate

This chapter explains how to generate a full certificate chain.

As you will be your own Certificate Authority, you will have to deploy this authority certificate on each client which will access interface. If not deployed, then certificate will not be recognized as "a trust certificate" and browser will not allow access.

Generate your own certificate authority

This is a two-step process. First you set up your CA, and then you sign an end entity certificate (a.k.a server or user). Both of the two commands elide the two steps into one. And both assume you have a an OpenSSL configuration file already setup for both CAs and Server (end entity) certificates.

First, create a basic configuration file named "ca.conf".

Then, add the following to it:


HOME            = .
RANDFILE        = $ENV::HOME/.rnd

####################################################################
[ ca ]
default_ca    = CA_default      # The default ca section

[ CA_default ]

default_days     = 3650         # How long to certify for
default_crl_days = 3650         # How long before next CRL
default_md       = sha256       # Use public key default MD
preserve         = no           # Keep passed DN ordering

x509_extensions = ca_extensions # The extensions to add to the cert

email_in_dn     = no            # Don't concat the email in the DN
copy_extensions = copy          # Required to copy SANs from CSR to cert


base_dir      = .
certificate   = $base_dir/YadomsCA.crt   # The CA certifcate
private_key   = $base_dir/YadomsCA.key.pem    # The CA private key
new_certs_dir = $base_dir              # Location for new certs after signing
database      = $base_dir/index.txt    # Database index file
serial        = $base_dir/serial.txt   # The current serial number

unique_subject = no  # Set to 'no' to allow creation of
                     # several certificates with same subject.

####################################################################
[ req ]
default_bits       = 4096
default_keyfile    = YadomsCA.key.pem
distinguished_name = ca_distinguished_name
x509_extensions    = ca_extensions
string_mask        = utf8only

####################################################################
[ ca_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default = FR

stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Rhône-Alpes

localityName                = Locality Name (eg, city)
localityName_default        = Valence

organizationName            = Organization Name (eg, company)
organizationName_default    = Yadoms

organizationalUnitName         = Organizational Unit (eg, division)
organizationalUnitName_default = Yadoms

commonName         = Common Name (e.g. server FQDN or YOUR name)
commonName_default = Yadoms CA

emailAddress         = Email Address
emailAddress_default = [email protected]

####################################################################
[ ca_extensions ]

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints       = critical, CA:true
keyUsage               = keyCertSign, cRLSign


####################################################################
[ signing_policy ]
countryName            = optional
stateOrProvinceName    = optional
localityName           = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional

####################################################################
[ signing_req ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints       = CA:FALSE
keyUsage               = digitalSignature, keyEncipherment

The fields above are taken from a more complex openssl.cnf (you can find it in /usr/lib/openssl.cnf), but I think they are the essentials for creating the CA certificate and private key.

Tweak the fields above to suit your taste. The defaults save you the time from entering the same information while experimenting with configuration file and command options.

I omitted the CRL-relevant stuff, but your CA operations should have them. See openssl.cnf and the related crl_ext section.

Then, execute the following. The -nodes omits the password or passphrase so you can examine the certificate. It's a really bad idea to omit the password or passphrase.

openssl req -x509 -config ca.conf -newkey rsa:4096 -sha256 -nodes -out YadomsCA.crt -outform PEM -days 3650

It generates both files:

  • YadomsCA.crt : the certificate authority (self signed)
  • YadomsCA.key.pem : the private key of the certification

Generate Yadoms server certificate

For part two, I'm going to create another configuration file that's easily digestible. First, create the yadoms.conf


HOME            = .
RANDFILE        = $ENV::HOME/.rnd

####################################################################
[ req ]
default_bits       = 2048
default_keyfile    = Yadoms.key.pem
distinguished_name = server_distinguished_name
req_extensions     = server_req_extensions
string_mask        = utf8only

####################################################################
[ server_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default = FR

stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Rhône-Alpes Auvergne

localityName         = Locality Name (eg, city)
localityName_default = Valence

organizationName            = Organization Name (eg, company)
organizationName_default    = Yadoms

commonName           = Common Name (e.g. server FQDN or YOUR name)
commonName_default   = Yadoms Server

emailAddress         = Email Address
emailAddress_default = [email protected]

####################################################################
[ server_req_extensions ]

subjectKeyIdentifier = hash
basicConstraints     = CA:FALSE
keyUsage             = digitalSignature, keyEncipherment
subjectAltName       = @alternate_names
nsComment            = "OpenSSL Generated Certificate"

####################################################################
[ alternate_names ]


[ alternate_names ]

DNS.1       = myServerAccessPoint.com
DNS.2       = www.myServerAccessPoint.com
DNS.3       = mail.myServerAccessPoint.com
DNS.4       = ftp.myServerAccessPoint.com

# Add these if you need them. But usually you don't want them or
#   need them in production. You may need them for development.
DNS.5       = localhost
DNS.6       = localhost.localdomain
DNS.7       = 127.0.0.1

# IPv6 localhost
DNS.8     = ::1


# IPv4 localhost
IP.1       = 127.0.0.1

# IPv6 localhost
IP.2     = ::1

If you are developing and need to use your workstation as a server, then you may need to do the following for Chrome. Otherwise Chrome may complain a Common Name is invalid (ERR_CERT_COMMON_NAME_INVALID). I'm not sure what the relationship is between an IP address in the SAN and a CN in this instance.

# IPv4 localhost
IP.1     = 127.0.0.1

# IPv6 localhost
IP.2     = ::1

Then, create the server certificate request. Be sure to omit -x509*. Adding -x509 will create a certificate, and not a request.

openssl req -config yadoms.conf -newkey rsa:2048 -sha256 -nodes -out yadoms.req.csr -outform PEM -days 3650

After this command executes, you will have a request in yadoms.req.csr and a private key in Yadoms.key.pem

The CSR file is a certificate signing request. This file is normally sent to real CertificateAuthroity in order to be signed.

Next, you have to sign it with your CA.

Create two text files

  • index.txt (empty)
  • serial.txt containing a serial numer (digit only). example : 12345678

And sign request

 openssl ca -config ca.conf -policy signing_policy -extensions signing_req -out Yadoms.crt -infiles yadoms.req.csr

In the end you have two files:

  • Yadoms.crt : the certificate signed by your YadomsCA
  • Yadoms.key.pem : the certificate private key

Those files are needed to server configuration in order to setup HTTPS.

Deploy Certificate Authority

The only remainging thing which remains is to deploy the certificate authority on the server and also on every "client" devices.

Under Windows OS, just double clic on YadomsCA.crt and install it to "Root certificate authorities".

Yadoms Yadoms -- The ultimate house automation solution

Clone this wiki locally