3

Is it at all possible to create a self-signed certificate for use on multiple machines on a local network which would stop the browser complaining it is not a trusted site?

We have a product which is basically a computer running lighttpd to serve a web interface for configuring the computer (sort of how a router has a web interface). There can also be many of these machines running on the same network with dynamic IP's. What I basically want to do is enable SSL for extra security but I don't want people who are on the local network to be given a browser warning about the certificate not being trusted.

Is this at all possible?

Improve this question

2 Answers 2

Reset to default
6

Yep.

As long as you control the certificate caches on the local machines, this is easy.

First, create a CA Root.

Set the CA root certificate expiry to be like, 20 years. Export the CA root public certificate as a pem file, and install it onto the client PCs. It'll appear as a Trusted CA Certificate.

Then use that CA to sign the CSR for the servers you wish to SSL encrypt. Then install the certificate you've generated there into the webserver's SSL certificate store, and configure the server to use that certificate.

If it's worked correctly, you'll be able to browse to the website, see that it's https encrypted, but as it's a pre-stored root certificate, you won't get the ugly red warning boxes and bars.

Improve this answer
6
  • 2
    Do make sure, however, to keep a very tight hold on the private key for that CA certificate you've just created. If it leaks, https becomes meaningless for all users whose browsers trust that CA cert, as it can certify an SSL key for any website.
    – MadHatter
    Nov 12, 2012 at 9:54
  • 1
    I completely agree, and I certainly didn't mean to detract from your answer (which I upvoted, because I think it's right). I merely felt that Firefly should go into this solution understanding fully the implications of what (s)he's doing.
    – MadHatter
    Nov 12, 2012 at 10:02
  • 1
    There's a thing about creating a root CA, putting it in a box and locking it, then using a secondary root CA for actually signing shit.
    – Tom O'Connor
    Nov 12, 2012 at 10:22
  • 1
    I followed the instructions on the link you provided but I can't get it to work correctly. I think the problem lies in the fact that when you sign a certificate you have to provide a static hostname/domain? With the way our product works there is no domain name and the machines on the network have dynamic IP's. So even if I import a certificate and then try loading the web page up locally by browsing to (127.0.0.1) it still shows the red warning page :/
    – Firefly
    Nov 13, 2012 at 0:48
  • 1
    Maybe I'm setting up the certificates wrong or something. Would you be able to provide the exact steps required? I'm also running lighttpd and I can only get the server to accept a .pem for the "ssl.pemfile" parameter. If I try to use the "ssl.ca-file" it spits an error saying the private key and certificate don't match.
    – Firefly
    Nov 13, 2012 at 0:48
1

Slightly off topic.. But you can get a trusted certificate for a public domain you control but which points to a local IP.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .