Menu
What's new

Blue Iris Google chrome CA and Client Certificate creation and Install

J

johnmcc

Young grasshopper
Joined
Mar 9, 2015
Messages
44
Reaction score
13
I have been researching making an HTTPS connection to stunnel. Which requires an Certificate with a CA. Tried many openssl commands eventually found the reason Chrome does not recognise a CA and Client certificate needs "subject alt names".
Found the following. In the start of each section I put the link to sites I obtained the information from. I am only a novice at certificates and openssl. Usual disclaimer use at your own risk. It worked for me, required the creation of
makecert.bat
client.bat
openssl_SAN.cfg
as follows

at the start of each section have put the address of the site I obtained the information from. I removed https:// from the start of the addresses.

>>>>>>>>>>>>>>>>>>>>>>Start openssl_SAN.cfg
Click to expand...
# from gist.github.com/croxton/ebfb5f3ac143cd86542788f972434c96
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = GB
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = England
localityName = Locality Name (eg, city)
localityName_default = Brighton
organizationName = Organization Name (eg, company)
organizationName_default = Hallmarkdesign
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = localhost

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1 = yourIP.com
DNS.2 = server10.youIP.com
DNS.3 = localhost
DNS.4 = 127.0.0.1
DNS.5 = localhost.yourIP.com
DNS.6 = *.cawhoose.com

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>End of openssl_SAN.cfg
Click to expand...
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>makecet.bat
Click to expand...
rem videos.didierstevens.com/2015/03/27/howto-make-your-own-cert-with-openssl/
set OPENSSL_CONF=C:\stunnel\config\openssl_SAN.cnf
Rem First I made a directory under stunnel called cert1
set RANDFILE=c:\stunnel\cert1\.rnd

Rem once again modify to location of stunnel
cd c:\stunnel\bin
openssl genrsa -out c:\stunnel\cert1\ca.key
openssl req -new -x509 -days 1826 -key c:\stunnel\cert1\ca.key -out c:\stunnel\cert1\ca.crt
openssl genrsa -out c:\stunnel\cert1\ia.key 4096
openssl req -new -key c:\stunnel\cert1\ia.key -out c:\stunnel\cert1\ia.csr
openssl x509 -req -days 730 -in c:\stunnel\cert1\ia.csr -CA c:\stunnel\cert1\ca.crt -CAkey c:\stunnel\cert1\ca.key -set_serial 04 -out c:\stunnel\cert1\ia.crt -extensions req_ext -extfile c:\stunnel\config\openssl_SAN.cnf

rem in windows double clicking ia.p2on this file will start certificate import.
rem in the certificate I selected local machine then accepted the defaults.
openssl pkcs12 -export -out c:\stunnel\cert1\ia.p12 -inkey c:\stunnel\cert1\ia.key -in c:\stunnel\cert1\ia.crt -chain -CAfile c:\stunnel\cert1\ca.crt

rem now need to modify and run client.bat
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>end of makecert.bat
Click to expand...
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>client.bat
Click to expand...
Rem modifiy the paths to suit your installation
Rem from stackoverflow.com/questions/54491901/how-to-generate-both-server-and-client-certificates-under-root-ca
Rem modifiy to path to loaction where file "openssl_SAN" I put it in the default location where openssl.cnf resides
Rem First I made a directory under stunnel called cert1

set OPENSSL_CONF=C:\stunnel\config\openssl_SAN.cnf
set RANDFILE=c:\stunnel\cert1\.rnd

cd c:\stunnel\bin
echo Generating RSA Private Key for Client cert1ificate
openssl genrsa -out c:\stunnel\cert1\client.key 4096

echo Generating cert1ificate Signing Request for Client cert1ificate
openssl req -new -key c:\stunnel\cert1\client.key -out c:\stunnel\cert1\client.csr

echo Generating cert1ificate for Client cert1ificate
openssl x509 -req -days 1825 -in c:\stunnel\cert1\client.csr -CA c:\stunnel\cert1\ca.crt -CAkey c:\stunnel\cert1\ca.key -set_serial 01 -out c:\stunnel\cert1\client.crt -extensions req_ext -extfile c:\stunnel\config\openssl_SAN.cnf

rem change to directory where certificates have been created
cd c:\stunnel\cert1
echo "Done"

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>End of client.bat
Click to expand...
>>>>>>>>>>>>>>>>>>>>>>>>>>>> stunnel.conf
Click to expand...
[BlueIris]
sslVersion = TLSv1.2
TIMEOUTclose=0
client=no
accept=1440
connect=8080
cert = c:\stunnel\cert\client.crt
key = c:\stunnel\cert\client.key
CAfile = c:\stunnel\cert\ca.crt



[KitchenAp]
sslVersion = TLSv1.2
TIMEOUTclose=0
client = no
accept = 8443
connect = kitchen.cawhoose.com:80
cert = c:\stunnel\cert\client.crt
key = c:\stunnel\cert\client.key
CAfile = c:\stunnel\cert\ca.crt

[GroundAp]
sslVersion = TLSv1.2
TIMEOUTclose=0
client = no
accept = 8444
connect = ground.cawhoose.com:80
cert = c:\stunnel\cert\client.crt
key = c:\stunnel\cert\client.key
CAfile = c:\stunnel\cert\ca.crt

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>end of stunnel.conf
Click to expand...
I emailed myself the ca.crt opened on my iPad double clicked which starts import. Then go to settings you should now see a selection below your name import profile. Clicked through this. Then start safari example the first time you get a warning click proceed blue iris will load. Next time there will be no warning but the padlock will be displayed. The warning will not be shown the next time

On the windows machine double click ia.p12 starts certificate import, I selected local machine then accepted defaults. Chrome made connection to Blue Iris without alerts and clicking the padlock show a valid certificate
 
bp2008

bp2008

Staff member
IPCT+ Member
Joined
Mar 10, 2014
Messages
12,681
Reaction score
14,043
Location
USA
Hi.

Yeah, it is definitely a surprise when you discover that the Subject's Common Name field is ignored, and you need the domain(s) to be in Subject Alternative Name. Because Chrome's error message for this situation is very misleading. It makes me wonder what guide you found that failed to set you on the right track.

You should use insert > code sections in your post to make it a lot more readable.

Anyway, openssl command line is the hardest way I know of to create SSL certificates. Unfortunately they are still the #1 recommended way to do it despite there being easier ways.

Pfsense (the operating system that turns a PC into a router) has a pretty decent graphical interface for creating a certificate authority and creating or signing certificates.

I have personally developed some simple GUI tools on Windows which I consider to be 1000% better than learning openssl for simple needs. This app creates certificates. And this one can trust/untrust them on Windows systems without the user needing to navigate the certificate import wizard.

There also exists LetsEncrypt which is a free way to get your certificates signed by globally trusted authority, and there are GUI tools on Windows for automating the process of obtaining and renewing certificates with them. I've used Certify The Web with great success. But it is an order of magnitude more complicated than working with self-signed certificates since you are required to set up verification of domain ownership.
 
J

johnmcc

Young grasshopper
Joined
Mar 9, 2015
Messages
44
Reaction score
13
bp2008 said:
Hi.

Yeah, it is definitely a surprise when you discover that the Subject's Common Name field is ignored, and you need the domain(s) to be in Subject Alternative Name. Because Chrome's error message for this situation is very misleading. It makes me wonder what guide you found that failed to set you on the right track.

You should use insert > code sections in your post to make it a lot more readable.

Anyway, openssl command line is the hardest way I know of to create SSL certificates. Unfortunately they are still the #1 recommended way to do it despite there being easier ways.

Pfsense (the operating system that turns a PC into a router) has a pretty decent graphical interface for creating a certificate authority and creating or signing certificates.

I have personally developed some simple GUI tools on Windows which I consider to be 1000% better than learning openssl for simple needs. This app creates certificates. And this one can trust/untrust them on Windows systems without the user needing to navigate the certificate import wizard.

There also exists LetsEncrypt which is a free way to get your certificates signed by globally trusted authority, and there are GUI tools on Windows for automating the process of obtaining and renewing certificates with them. I've used Certify The Web with great success. But it is an order of magnitude more complicated than working with self-signed certificates since you are required to set up verification of domain ownership.
Click to expand...
The link to each location is provided at the start of each section for Subj Alternative Names it was
gist.github.com/croxton/ebfb5f3ac143cd86542788f972434c96
I removed https from the start of the link.
On code insertion, no doubt you can conclude I am not that familiar with pasting code.
I have a draytek router which has a LAN DNS app which permits cam1.myip.com which directs local requests to local ip eg 192.168.1.50
Hence my looking to create a certificate for my local network
I
 
You must log in or register to reply here.
Top