4

For an intranet server I use a self-signed certificate which I want to trust system-wide. I added the certificate exception to Firefox, but this is not possible in Chrome, console applications, IDEs, ...

This is why I want the certificate to be trusted system-wide. As I understood it, the recommended way is to install it as root CA: https://blogs.technet.microsoft.com/sbs/2008/05/08/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista/

As I also understood it, this means that whoever controls the self-signed certificate now controls a root authority which can sign forged certificates for any site on my machine. Is this true and if yes, how can I prevent this? I just want to have a single intranet server self-signed, not potentially all services I use.

What is the recommended way to deal with intranet TLS here?

PhilLab
  • 145

2 Answers2

4

If the server is under your control:

  1. Create an actual root CA (e.g. with easy-rsa or Xca or Windows Server CA role).
  2. Replace the self-signed server certificate with one issued by your custom CA.
  3. Make sure the certificate you just issued is actually marked as a "leaf" / "end-entity" certificate. Look for the "X.509v3 Basic Constraints" extension – it must be present and say "CA: FALSE".
  4. Install the custom CA's root certificate into your computer.
  5. Safely store the CA private key so that it's only accessible whenever you need to issue a new cert.

As the server's certificate contains "Basic Constraints: CA: FALSE", it will not be able to issue new certificates using just its own key.

(The reason you need the CA to be separate is because directly installing the server's self-signed certificate into the "Trusted CA" folder may cause the system to ignore Basic Constraints – after all, it's installed as an authority. Separation avoids this problem, because you can safeguard the root CA keys.)

As a bonus feature, you won't need to re-trust the server certificate when it expires or when its name changes – just use the same root CA to issue a new cert.

grawity
  • 501,077
-1

Well, a certificate actually can have "key usage" property which restricts what can it be used for. So I guess you just need make sure that the self-signed certificate doesn't have "Certificate Signing" allowed key usage, or something like that. This way perhaps it could be "safe" to add it to trusted roots in Windows? If I'm mistaken, then someone correct me please.

And do you have to any other conclusion?

Tomeg
  • 158