Category Archives: Web App

Private DNS Domains: Creating SSL Certs for Your Devices That Access Internal Servers (Updated November 23, 2023)

Leave a reply

So in my last post, we went over creating the SSL cert creation for your internal web servers. It was a nice, wildcard cert that was able to be made once and installed on many making it easier on us. Now we’ll go over making the CA certs for Android and Windows clients that will do away with that annoying Chrome nag screen about security and whatnot when accessing them and instead appear as a nice and secure website to the browser!

Crafting the Simple Configuration for Android

It’s necessary for a simple configuration for Android to have the certificate to be a CA cert. So this part establishes the part where we define that for a later step in the process.

[ req ]
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no

[ req_distinguished_name ]
commonName = *.yourinternaldomain.local

[ req_ext ]
subjectAltName = @alt_names
basicConstraints=CA:TRUE

[alt_names]
DNS.1 = yourinternaldomain.local
DNS.2 = *.yourinternaldomain.local

Save it as openssl.cnf. So, this is basically exactly like the server cnf file except for one thing and that is the line where it says basicConstraints=CA:TRUE. That makes it so that you don’t get an error on importing it into Android and it will work correctly!

You do NOT need this cnf file for the Windows cert, just skip ahead!

Generating the Signing Key for Android/Windows

So, this is for both Android and Windows, it’s basically the same but with different extensions.

Android:

openssl genrsa -out privkey.pem 2048

Windows:

openssl genrsa -out privkey.key 2048

I use the different extensions here just to keep things straight in my head when working with creating these certificates because we create a .pem for Android and a .crt for Windows.

Creating the Certificate Signing Request for Android/Windows

Like in the server post is basically the same, just with a tweak to differentiate the Windows command signature some.

Android:

openssl req -new -key privkey.pem -out csr.pem -config openssl.cnf

Windows:

openssl req -new -key privkey.key -out cert.csr

So, on Android, you see that you reference the cnf file. Remember, if you are doing this on Windows, you must specify the complete DOS path to the cnf file in the command statement.

Generate the Certificate

So now we have that we can generate the two different types of certificates for Android and Windows.

Android:

openssl x509 -req -days 365 -in csr.pem -signkey privkey.pem -out cert.pem -extensions req_ext -extfile openssl.cnf

Windows:

openssl x509 -req -days 365 -in cert.csr -signkey privkey.key -out cert.crt
OR (Easier way, skip all the previous Windows steps and follow the Android steps and after generating the Android Cert just do this!)
openssl x509 -outform der -in cert.pem -out cert.crt

And there you go, certificates made, one last thing for those special devices that require attention.

Craft a Full Chain pem

Here’s how to create a quick Full Chain pem file.

cat cert.pem privkey.pem > fullchain.pem

Installing the Certs

On Windows, you want to install the cert into your Trusted Root Certificates store. I had to restart Chrome and refresh my servers (that were already running their brand new internal certs) to get the Good To Go widget in the address bar. I haven’t tested with Edge, but I assume being chromium-based it probably uses the Windows Certificate Store as well. No idea about Firefox, never had the urge to use it.

On Android 13, based on your specific device look up how to install a custom certificate on it and it should see cert.pem (which you should have emailed to yourself already) in your storage somewhere. I’ve read you’re supposed to be able to just tap the pem file and it will auto-install but that did not work on a Pixel or a Samsung device. I had to go into Settings and do it through the menu.

If you are on a Pixel that is running Android 14 like me then when you get the option from settings to select the cert, it will not show any pem files. I am not sure why, but I found a workaround. After you download it, open the Files app and delete it. Sounds crazy but stay with me. Then go into settings and go through the certificate settings to the point of picking the certificate. This should launch a Files-like window to select it, tap the 3 dots in the upper right and select Show Hidden Files. Then there you go, the deleted cert.pem file will be there and just tap it and it will be installed. Crazy I know but that worked on my Pixel 8 Pro.

That should be it for Android, just kill and relaunch Chrome and it should be like on your desktop and with no nag screen.

I generally hope this helps anyone who could use the help. I know it has reduced the years of numerous clicking and tapping to get passed the security alerts over the years.

John

Private DNS Domains: Creating SSL Certs for Your Web Servers and Devices That Access Them (Updated November 23, 2023)

Leave a reply

It’s pretty easy to get a growing internal network going at home now with devices getting cheaper and whatnot. But I myself don’t particularly don’t feel the need to expose them to the internet and only use them for myself. But I don’t like the nagging from Chrome about how this site is not secure for whatever reason on my Desktop or my tablet or phone. So I sat down this weekend and worked out how to create a cert for my web serving stuff and a CA cert for my end-use devices that made Chrome be quiet and happy and think everything was nice and secure. Here’s how I did it for the server side, later tomorrow or today I will add a post on how to do the client cert for you.

Install openssl on your working machine and buckle up!

Once you have openssl installed you need to do this twice, once for the Web servers and once for the CA for the end-user devices to accept that cert you made before.

The first thing is to generate a configuration file because we are going to make a wildcard certificate to keep from having to generate a cert for each server independently! Here’s the configuration example:

[ req ]
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no

[ req_distinguished_name ]
countryName        = US
stateOrProvinceName = Texas
localityName       = Who Hee
organizationName   = Your Org
organizationalUnitName= Your Org Name
commonName = *.yourinternaldomain.local

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1 = yourinternaldomain.local
DNS.2 = *.yourinternaldomain.local

(Added more depth to CNF file)

Ok on *nix you can pretty much save that in whatever directory you are going to run the openssl command from as it will assume based on the prompt that it exists wherever it was executed from. Save the file as: openssl.cnf

On Windows, you need to change the below (like literally the text that follows below) areas where the openssl.cnf is mentioned to point to where the config is saved in the prompt.

Generate the Signing Key

Next up we generate the signing key:

openssl genrsa -out privkey.pem 2048

That is it!

Generate the Certificate Signing Request

Now we have to generate the CSR for generating our actual server cert.

openssl req -new -key privkey.pem -out csr.pem -config openssl.cnf (Updated to add -config option to CSR request)

That was nice and easy as well, now onto generating the server’s certificate!

Create the Actual Server Certificate

Now to the almost final step which is to create the cert to be installed on all the internal servers.

openssl x509 -req -days 365 -in csr.pem -signkey privkey.pem -out cert.pem -extensions req_ext -extfile openssl.cnf

Here is where we reference the openssl.cnf to get our wildcard cert. Remember Windows users to input the complete DOS path and use quotes if it has spaces to the actual cnf file.

Once Last Thing For Those Special Needs Servers

For those servers (i.e. Synology) that require a Full Chain pem file as well you can do this from *nix.

cat cert.pem privkey.pem > fullchain.pem

Ok, the server cert is done, you should be able to add it to your web servers now. I’ll be putting up the client portion for Android and Windows client CA certs sometime later today or tomorrow so that the annoying Chrome nag screen goes away.

John

Tools Rundown: IT-Tools Docker Image!

Leave a reply

IT-Tools docker container is a very large suite of one-off tools and utilities that you access via a web interface. It is very easy to get running in Docker via Portainer and it is also very easy to use. I see this as a utility tool for all types of people in the IT field from admins to programmers as it really covers the gamut of tools that it provides.

How to get it going in Docker on my *nix system (this works for Synology as well)

Using Compose here is the basic gist of getting it up and running in Portainer. In Portainer, add a new stack, name it what you will, and then in the editor, paste the following:

version: '3.9'
services:
    it-tools:
        image: 'corentinth/it-tools:latest'
        restart: always
        ports:
            - '5545:80'
        container_name: IT-Tools

Then click on the “Deploy Stack” button and let it do its work. You should get a message that the stack was deployed successfully once it is finished.

I honestly have no idea how to do this in Windows as that demon child of an implementation of Docker is just weird and hard to understand versus the *nix versions.

Accessing IT-Tools

Once the stack is up and running, open your browser and navigate to: http://<ipaddressofdockerhost>:5545

This should open up this page for you.

And that is all there is to it! Just click an option to open it and use it, it’s all web-based. There is literally something that everyone can use quite often in their trade I believe and it definitely worth the 10-15 minutes it takes to get it going. Just bookmark it in your browser and then you have a great go-to tool for those things that you need a converter or other utility for.

You can choose a light or dark mode, as you can see from the screenshot I have it in dark mode. You can favorite utilities and tools as well and it will pin them to the top of the page as well.

I do hope you take a few minutes and try it out. It’s just a well-thought-out app that just ticks all the marks and that is few and far between these days. You rarely come across something like this.

John

New project: A Web-Based Image Manipulator

Leave a reply

What is it and where is it…

If you’re looking for a straightforward tool to manipulate your images without the need for sophisticated software, you might want to look into the script I developed. It’s written in PHP, which is a widely used server-side scripting language ideal for web development. The functionality of this script allows users to perform basic image manipulations such as resizing and rotating images.

Being compatible with the most common image formats like BMP, PNG, and JPG, it ensures that the largest audience can utilize its features without compatibility issues. The user interface is designed to be very easy to use, even for those who may not have extensive technical skills. This makes it suitable for anyone needing quick image adjustments without the need for detailed knowledge of image editing.

To make it accessible to everyone, I’ve hosted this script online where you can easily find it. To get started with adjusting your images, you just need to visit the following link: Resize. Here, you can upload your image and choose the desired operation – whether you want to change its size, alter its orientation, or both. This tool is particularly useful for those who need to prepare images for web use, where dimensions and file size are crucial.

Moreover, owing to its simplicity and ease of use, it’s an excellent solution for everyday image processing tasks. Whether youโ€™re running a blog, managing a website, or even just looking to adjust some images for personal use, this PHP script aims to provide a no-fuss solution to help you achieve your goal without the overhead of complicated software packages or online services.

John