Trusting the Certificate Authority of ClearOS in Servers and Workstations
This guide steps you through the process of setting up your workstation to trust the Certificate Authority (CA) of the ClearOS server for certificates. This is important so that you don't get prompted to have to trust an untrusted certificate. Moreover, it is important because if you get in the habit of clicking through failed certificate authentications then you might get dupped into a false one by a clever hacker.
Windows 7
Log into ClearOS' Webconfig as the user. Navigate to the User Certificate's page. Next to the 'Certificate Authority' entry, click
Open your Downloads folder (or the location that you saved the file) and rename the file from ca-cert.crt to ca-cert.cer. This will change the icon for the file.
Open Certificate Manager by clicking the Start button. Type certmgr.msc in the Search box and then pressing
This will start the import wizard where you will add your downloaded certificate to be trusted. When you get to the 'File to Import' section, browse to the location that you downloaded and renamed your certificate.
Double-click the ca-cert.cer file and click
It will then state that it is ready to finish with similar information as you see here. Click
And just in case you thought that the word 'finish' meant finish, Windows 7 will prompt you one more time just to make sure you really, really want to do what you just told it to do. Review the information and click
AD and Group Policy
Ok, so that works splendidly but let's suppose you have 120 workstations that all need to have this happen. Well, if you have Active Directory on hand, you can roll this change out to everyone on the domain.
First, repeat the steps for Windows 7 including the point where you download the .crt file and you rename it to .cer.
Now I'm going to blatantly plagarize here but he's quoted and cited at the end, so here we go:
Import .cer to Group Policy
“Now we are going to use Group Policy to make this certificate authority a trusted CA through out the domain. Open up the Group Policy Management MMC in the Administation Tools menu. I don’t know what your GPO settings are like, so for this example lets just set this up in the Default Domain Policy. Use your judgement on how this should be setup in your environment.
“Right click the Default Domain Policy and select Edit. This will open up the Group Policy Management Editor. Drill down in the option pane on the left. The path should be
Right click
“Click
“That’s it. You now have an internal CA for use in your network.” -Jason
Thanks, Jason.
Mac OSX
It is easy to get ClearOS to be trusted by a Mac. This will get rid of annoying errors when you try to browse to Webconfig or use other Certificate based services.
Log into ClearOS' Webconfig as the user. Navigate to the User Certificate's page. Next to the 'Certificate Authority' entry, click
Once that has downloaded, Open up Keychain access by navigating to
Once you are in Keychain Access, Import the file by hitting
Navigate to your Downloads folder, highlight the ca-cert.pem file and click
You will be asked if you want to trust this certificate from now on. Review the material in the certificate to make sure that it is correct and press
You will be asked for your password to make this happen. Enter your credentials and press
Close Keychain Access and try your hand at browsing the ClearOS server.
Congratulations. You should be able to access your server without prompts indicating that trust if violated.
ClearOS 6/7, Centos 6/7, EL6/7
Copy the ClearOS ca-cert.pem certificate into /etc/pki/ca-trust/source/anchors/ and, perhaps, change the name from ca-cert.pem to something which relates to your server e.g. clearos-server-ca.cert.pem, then run the following command:
update-ca-trust extract
Restart any apps which need to use the new certificate.
Troubleshooting
Ok. If you've done all that and it still doesn't work, it could be that the certificate you are actually looking at is NOT signed by your CA. An example of this is Webconfig which self-signs a certificate when it sets up before the CA is ever involved. This can lead to it using the default certificate and not one derived from your own CA.
You can validate this by looking at the certificate itself:
You will note that our certificate is signed by system.domain.lan and not the name of the server which, for this example, is named gen3.clearos.com.
Webconfig
Webconfig's certificates are located in /usr/clearos/sandbox/etc/httpd/conf/. We will backup these certificates and then remove them when we are all done:
mkdir /usr/clearos/sandbox/etc/httpd/conf/temp mv /usr/clearos/sandbox/etc/httpd/conf/server.crt /usr/clearos/sandbox/etc/httpd/conf/temp/ mv /usr/clearos/sandbox/etc/httpd/conf/server.key /usr/clearos/sandbox/etc/httpd/conf/temp/
Next, we will create a certificate request and associated key for the server:
openssl req -new -newkey rsa:4096 -nodes -keyout /usr/clearos/sandbox/etc/httpd/conf/server.key -out /root/gen3.clearos.com.csr
With this request, I've created a new key file in the appropriate directory and created the Certificate request in the /root directory because it is not essential for the Webconfig web server service.
When you execute this command it will ask you a lot of questions. You should answer truthfully if you are a business but I'd recommend answering with bogus data if you are an individual (this information can be seen by the public if you have port 81 open). Here is what that looks like:
Generating a 4096 bit RSA private key ............................................................................................................++ ............................................................................................................++ writing new private key to '/usr/clearos/sandbox/etc/httpd/conf/server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:UT Locality Name (eg, city) [Default City]:Orem Organization Name (eg, company) [Default Company Ltd]:ClearCenter Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:gen3.clearos.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
I didn't place a password on the request because we aren't dealing with a third party that has to validate this (you are the authority here). What is most important here is the Common Name line. This should match your DNS name to the server exactly because if you don't use that in your browser it will still give you a certificate error (ie. Certificates are not for IPs).
To sign the Certificate Request (.csr) yourself, run the following:
openssl x509 -req -in /root/gen3.clearos.com.csr -CA /etc/pki/CA/ca-cert.pem -CAkey /etc/pki/CA/private/ca-key.pem \ -CAcreateserial -out /usr/clearos/sandbox/etc/httpd/conf/server.crt -days 3650
I've asked that the certificate be valid for 10 years using the -days flag (more than the life of the server). Of course, you can set the expiry to whatever value of days you wish.
You should get back the following response which should correlate with the information you gave earlier:
Signature ok subject=/C=US/ST=UT/L=Orem/O=ClearCenter/CN=gen3.clearos.com Getting CA Private Key
You can validate that your certificate and key file are now in the Webconfig webserver directory:
cat /usr/clearos/sandbox/etc/httpd/conf/server.crt cat /usr/clearos/sandbox/etc/httpd/conf/server.key
Next, fix up the permissions of the certificates:
chmod 600 /usr/clearos/sandbox/etc/httpd/conf/server.crt chmod 600 /usr/clearos/sandbox/etc/httpd/conf/server.key chown webconfig:webconfig /usr/clearos/sandbox/etc/httpd/conf/server.crt chown webconfig:webconfig /usr/clearos/sandbox/etc/httpd/conf/server.key
They should look like this:
ls -la /usr/clearos/sandbox/etc/httpd/conf/server.*
-rw------- 1 webconfig webconfig 1631 Apr 21 13:19 /usr/clearos/sandbox/etc/httpd/conf/server.crt -rw------- 1 webconfig webconfig 3268 Apr 21 13:09 /usr/clearos/sandbox/etc/httpd/conf/server.key
Now restart your webconfig service:
service webconfig restart
Next, point your browser of the computer which trusts the ClearOS CA to the DNS name of your ClearOS server and you should be good to go without certificate errors (in this case https://gen3.clearos.com:81).
You can also look at the certificate now and see that all is in order: