Use SSL in local networks

From SweepMe! Wiki
Jump to navigation Jump to search

SSL is commonly used to provide encryption and server authentication in the HTTPS protocol by obtaining a certificate from a trusted Certificate Authority. SweepMe! supports SSL secured connections when provided with a certificate. However, no public Certificate Authority will issue a certificate for a local computer that is not reachable by a public domain name. This article describes how to set up SSL in a way that your browser does not display a warning that the connection is not trusted, if you administrate your own local network.

Requirements

  • Unencrypted HTTP connections have already been set up correctly and work properly
  • The computer running SweepMe! must be reachable from the network via a static IP address or a (local) domain name
  • You are administrator on all computers that shall be part of the secured communication (only for setup, afterwards every user can use the configured HTTPS connections)

Preparation

The creation and signing of the certificates will be done using OpenSSL. Binaries for Windows are offered by third parties and can be found in the OpenSSL wiki. Always make sure to use the latest version which has fixed known security issues. After installation, verify that OpenSSL is working using following command in the PowerShell:

openssl version

This should print the installed version (which should be the latest available) and its creation date.

Create your own Certificate Authority

As no public Certificate Authoritie (CA) will sign a certificate for a local domain, the first step is the creation of an own CA. This step is necessary only once for a whole network, and most larger organizations will already have such a certificate for their intranet. Create a key with following command in the PowerShell:

openssl genrsa -des3 -out CA_cert_confidential.key 2048

You will be asked to enter a passphrase, and you should better provide a very strong one. Next, create the certificate for your CA:

openssl req -x509 -new -nodes -key CA_cert_confidential.key -sha256 -days 825 -out CA_root.pem

You will need the passphrase of your CA key again and are asked to provide some information about you / your organization. Enter a meaningful name for "Common Name" that clearly identifies the owner of this certificate.

Important: Keep your key at a safe place and do not share the passphrase. An attacker could use this to compromise and manipulate your whole internet traffic. Neither SweepMe! nor your users need access to the CA key or passphrase.

Create the SSL certificate for the server

For every computer that shall run a HTTPS Interface of SweepMe!, an SSL certificate needs to be created. During this process, you will need the domain name (Host name) of your computer, that can be found with following command:

[System.Net.Dns]::GetHostEntry([string]"localhost").HostName

Alternatively, if your computer has a static IP address, this one can be used instead.

Key and Certificate Signing Request

Again, a private key needs to be created:

openssl genrsa -des3 -out server.key 2048

Again, you are asked to enter a passphrase. DO NOT REUSE the passphrase from your CA key under any circumstances. Never.

The certificate signing request can be created with following command:

openssl req -new -key server.key -out server.csr

You will need to enter your passphrase of the server key and further information that shall be embedded in the certificate. The "Common name" should be the domain name of the computer. The extra attributes (challenge password and optional company name) can be left empty.

Sign the server certificate

First, additional information to be embedded into the certificate have to be defined by creating a file server.ext with following content:

authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = LabA
DNS.2 = localhost
IP.1 = 127.0.0.1

In the [alt_names] section, enter the domain name (in this example LabA was used). Further names can be defined as well, to allow also accessing the server using localhost or an IP-Address with this certificate. Finally, the signed server certificate is created with following command:

openssl x509 -req -in server.csr -CA CA_root.pem -CAkey CA_cert_confidential.key -CAcreateserial -out server.crt -days 825 -sha256 -extfile server.ext

One last time, enter the passphrase of your CA key. Remember to keep the CA_cert_confidential.key at a safe place not accessible by anyone else. The server.crt and server.key files (together with the passphrase of the server key) can now be used to configure SSL in SweepMe! (run as administrator). Do not place the server.crt and server.key files in a SweepMe! directory as they might get deleted during an update, place them in a system directory instead.

Configure Browser/System to accept own CA

As the certificate has been created with a self created CA, browsers do not trust the issuer by default. Therefore, the public key (CA_root.pem) needs to be imported on every computer, that shall be able to establish a connection to the SweepMe! Interface. This procedure differs slightly depending on your browser, as some of them use the system certificate store, and some bring an on list of trusted Certificate Authorities.

Importing the CA root certificate into the Windows certificate store (used e.g. by Edge, Chrome) can be achieved with the following steps:

  1. Open the run dialog by pressing ⊞ Win+R
  2. Enter certlm.msc (imports system-wide) or certmgr.msc (imports for current user only) and press ↵ Enter
  3. In the left panel, expand the "Trusted Root Certificate Authorities" folder
  4. Right-Click on the subfolder "Certificates" and choose "All tasks", and "Import..."
  5. Follow the Certificate Import Assistant and select the CA_root.pem file for import

In order for your imported root CA to become effective, a restart of your computer or your browser may be required.