Tool to manage your own Certificate Authority

RMerlin

Asuswrt-Merlin dev
We discussed it a few months ago in another thread on how we needed a simple way for people to be able to generate their own SSL certificates so they could start better protecting their internal devices. Eventually I had found that tool, but lacked time to start diving into it. I only recently remembered it was sitting on my system, and started looking into it these past few days.

https://hohnstaedt.de/xca/index.php

This tool provides you with a GUI for all of your keys and certificate management needs. You can (relatively) easily use it to create your own Certificate Authority, and sign your own certificates with it. All you have to do is import your own CA root certificate on your computers at home, and then start emitting certificates for all your internal devices that support them (like most NAS, and Asus routers for instance). The beauty of it is that once you import that root certificate, any certificate you sign with it will be recognized as trustworthy by your browsers. No more security alerts. My own Asus RT-AC88U for instance now look like this in Chrome:

upload_2018-3-5_22-33-57.png


There's some learning curve involved however, especially if you're not familiar with how SSL certificates work. But tons of documentation on the web is available.

Ultimately, I believe the market still need a simpler way to manage it, for SSL neophytes. But if you're willing to start learning, or if you're already quite familiar with them, XCA can be a great tool to easily secure your internal devices without having to constantly click to accept untrusted self-signed certificates.
 

daviworld

Regular Contributor
We discussed it a few months ago in another thread on how we needed a simple way for people to be able to generate their own SSL certificates so they could start better protecting their internal devices. Eventually I had found that tool, but lacked time to start diving into it. I only recently remembered it was sitting on my system, and started looking into it these past few days.

https://hohnstaedt.de/xca/index.php

This tool provides you with a GUI for all of your keys and certificate management needs. You can (relatively) easily use it to create your own Certificate Authority, and sign your own certificates with it. All you have to do is import your own CA root certificate on your computers at home, and then start emitting certificates for all your internal devices that support them (like most NAS, and Asus routers for instance). The beauty of it is that once you import that root certificate, any certificate you sign with it will be recognized as trustworthy by your browsers. No more security alerts. My own Asus RT-AC88U for instance now look like this in Chrome:

View attachment 12193

There's some learning curve involved however, especially if you're not familiar with how SSL certificates work. But tons of documentation on the web is available.

Ultimately, I believe the market still need a simpler way to manage it, for SSL neophytes. But if you're willing to start learning, or if you're already quite familiar with them, XCA can be a great tool to easily secure your internal devices without having to constantly click to accept untrusted self-signed certificates.
Sweet, I'll dive into this once I finish up the beta upgrade & smart connect rule's. While the the insecure error was a minor annoyance, glad to see a permanent fix in the form a CA :)

I haven't looked at the doc's yet, and didn't see it mention. But, does it come with TLS 1.2 instead SSLv3?

Sent from my LG-H830 using Tapatalk
 

RMerlin

Asuswrt-Merlin dev
I haven't looked at the doc's yet, and didn't see it mention. But, does it come with TLS 1.2 instead SSLv3?
Certificate generation is unrelated to the protocol used by the client/servers.
 

HeMaN

Regular Contributor
I am using this at home for a few years now and still loving it.

Verstuurd vanaf mijn SM-G955F met Tapatalk
 

john9527

Part of the Furniture
Sounds like a great opportunity for someone to write up a basic 'how-to' guide tailored to generating the certs for a typical home setup :)
 

RMerlin

Asuswrt-Merlin dev
Sounds like a great opportunity for someone to write up a basic 'how-to' guide tailored to generating the certs for a typical home setup :)
Yes. They do have a starting point on their website (wish I had seen it before fiddling with it on my own). But there's potential for a well-written guide there. (@thiggins , too far from your usual field of expertise to have a shot at something like that for SNB?)
 

sfx2000

Part of the Furniture
There's some learning curve involved however, especially if you're not familiar with how SSL certificates work. But tons of documentation on the web is available.

Ultimately, I believe the market still need a simpler way to manage it, for SSL neophytes. But if you're willing to start learning, or if you're already quite familiar with them, XCA can be a great tool to easily secure your internal devices without having to constantly click to accept untrusted self-signed certificates.
Neat tool - there are command line options for generating keys and managing them, but they are a bit obtuse and the learning curve for those utilities is steep - XCA will make this easier for those new to key management and creating/maintaining a PKI. The XCA manual and tutorials go a long way to explain and teach new users (as well as experienced folks that have to manage keys).

One thing to point out - they're in need of translators to maintain several languages - Spanish, Turkish, and Russian, and the author is open to someone that may want to contribute some time and effort to update and maintain those translations.
 

RMerlin

Asuswrt-Merlin dev
Neat tool - there are command line options for generating keys and managing them, but they are a bit obtuse and the learning curve for those utilities is steep
And even EasyRSA was only a minor step forward (I use EasyRSA to manage certs for my customers with OpenVPN servers). XCA got me to finally manage a CA and emit my own certificates for my LAN devices. Importing the CA certificate on two computers so all my certs can be trusted is a nice convenience (and it took care of some major issues I was having with my Asuswrt development setup).
 

sfx2000

Part of the Furniture
And even EasyRSA was only a minor step forward (I use EasyRSA to manage certs for my customers with OpenVPN servers). XCA got me to finally manage a CA and emit my own certificates for my LAN devices. Importing the CA certificate on two computers so all my certs can be trusted is a nice convenience (and it took care of some major issues I was having with my Asuswrt development setup).
Yep, I agree...

@thiggins - gentle nudge here for cert management - this is relevant for the SNB community...

XCA isn't a science project, they've been around for quite some time, and there is a lot of benefit here for small business folks...
 

RMerlin

Asuswrt-Merlin dev
Or I suppose someone else could write it, and resell it to Tim for publication - not sure how Tim handles article contributions.
 

Mokers

Regular Contributor
I have been able to get by using a standard wildcard certificate to secure most things. if only vmware would support wildcard certs in esxi...
 

john9527

Part of the Furniture
Just thought I'd give this one a refresh....anybody?

I may end up giving it a try and stumbling my way through [email protected], any hints/gotchas you encountered that you remember?
 

HeMaN

Regular Contributor
I just had a look at the XCA website today and noticed there is a new version of the application (I was still on 1.40).
Think I will do the update to 2.01 this weekend.

I was planning to write something about the usage of XCA like requested, but noticed almost all I wanted to write about is already on the XCA site.
Did you have a look at his Step by Step guides? http://hohnstaedt.de/xca/index.php/documentation/stepbystep
 

RMerlin

Asuswrt-Merlin dev
Just thought I'd give this one a refresh....anybody?

I may end up giving it a try and stumbling my way through [email protected], any hints/gotchas you encountered that you remember?
Plan things ahead. Do a few experiments, then when confident delete everything and start anew.

I created a template for my home uses, makes it easier to issue certificates for all my devices.

I'd have to check my configs to remember the details, I'm not in front of my PC at the moment.


Sent from my P027 using Tapatalk
 

RMerlin

Asuswrt-Merlin dev
BTW thanks for the heads up about 2.0.1. I only monitor the SF site, and they are still at 1.4.1 there.
 

RMerlin

Asuswrt-Merlin dev
Just thought I'd give this one a refresh....anybody?

I may end up giving it a try and stumbling my way through [email protected], any hints/gotchas you encountered that you remember?
Prior knowledge of how SSL certs work definitely helps. My recommendation:

1) Decide what local domain you wish to use on your LAN if you don't already have one. myhome.lan, etc...
2) Decide if you want to create a different private key per certificate, or reuse the same key for each. The latter is obviously less secure, but if it's just to cover your LAN devices, might be simpler to have only one key. What I did here is create one key dedicated to my LAN devices (routers, NAS, etc...). Anything that requires more security, I create a unique key.
3) Create your CA
4) Create a template that you will use for your certs. The important fields to look for (that I can remember) are the X509 SAN (so you can have, for instance, 192.168.1.1, myrouter, and myrouter.myhome.lan all valid), and certificate type. Here for my template:

upload_2018-5-11_15-2-43.png


Also pay attention to the expiration date, both for the CA and your certs. Personally I went with 10 years.
 

RMerlin

Asuswrt-Merlin dev

john9527

Part of the Furniture
Well, this turned out to be pretty simple....just followed the step-by-step guide and Merlin's hints :) Used a common private key for all my local devices.

XCA db
xca_setup.png


And my CA loaded in FireFox
xca_ca.PNG


Only 'quirk' I ran into is that I had to repeat the Common name in the Subject Alternate Names for it to be recognized.
And, I had to make a couple of tweaks on my fork to make it easier to import the new cert.
 

RMerlin

Asuswrt-Merlin dev
Only 'quirk' I ran into is that I had to repeat the Common name in the Subject Alternate Names for it to be recognized.
This is actually normal. In fact, the CN attribute is being deprecated, in favor of the SAN attribute.

Also, IE has problems with the DNS field, so when specifying an IP, you'll want to specify it both as a DNS and an IP within the SAN attributes.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top