Category Archives: Web Tools

Private DNS Domains: Creating SSL Certs for Your Devices That Access Internal Servers (Updated November 23, 2023)

Leave a reply

So in my last post, we went over creating the SSL cert creation for your internal web servers. It was a nice, wildcard cert that was able to be made once and installed on many making it easier on us. Now we’ll go over making the CA certs for Android and Windows clients that will do away with that annoying Chrome nag screen about security and whatnot when accessing them and instead appear as a nice and secure website to the browser!

Crafting the Simple Configuration for Android

It’s necessary for a simple configuration for Android to have the certificate to be a CA cert. So this part establishes the part where we define that for a later step in the process.

[ req ]
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no

[ req_distinguished_name ]
commonName = *.yourinternaldomain.local

[ req_ext ]
subjectAltName = @alt_names
basicConstraints=CA:TRUE

[alt_names]
DNS.1 = yourinternaldomain.local
DNS.2 = *.yourinternaldomain.local

Save it as openssl.cnf. So, this is basically exactly like the server cnf file except for one thing and that is the line where it says basicConstraints=CA:TRUE. That makes it so that you don’t get an error on importing it into Android and it will work correctly!

You do NOT need this cnf file for the Windows cert, just skip ahead!

Generating the Signing Key for Android/Windows

So, this is for both Android and Windows, it’s basically the same but with different extensions.

Android:

openssl genrsa -out privkey.pem 2048

Windows:

openssl genrsa -out privkey.key 2048

I use the different extensions here just to keep things straight in my head when working with creating these certificates because we create a .pem for Android and a .crt for Windows.

Creating the Certificate Signing Request for Android/Windows

Like in the server post is basically the same, just with a tweak to differentiate the Windows command signature some.

Android:

openssl req -new -key privkey.pem -out csr.pem -config openssl.cnf

Windows:

openssl req -new -key privkey.key -out cert.csr

So, on Android, you see that you reference the cnf file. Remember, if you are doing this on Windows, you must specify the complete DOS path to the cnf file in the command statement.

Generate the Certificate

So now we have that we can generate the two different types of certificates for Android and Windows.

Android:

openssl x509 -req -days 365 -in csr.pem -signkey privkey.pem -out cert.pem -extensions req_ext -extfile openssl.cnf

Windows:

openssl x509 -req -days 365 -in cert.csr -signkey privkey.key -out cert.crt
OR (Easier way, skip all the previous Windows steps and follow the Android steps and after generating the Android Cert just do this!)
openssl x509 -outform der -in cert.pem -out cert.crt

And there you go, certificates made, one last thing for those special devices that require attention.

Craft a Full Chain pem

Here’s how to create a quick Full Chain pem file.

cat cert.pem privkey.pem > fullchain.pem

Installing the Certs

On Windows, you want to install the cert into your Trusted Root Certificates store. I had to restart Chrome and refresh my servers (that were already running their brand new internal certs) to get the Good To Go widget in the address bar. I haven’t tested with Edge, but I assume being chromium-based it probably uses the Windows Certificate Store as well. No idea about Firefox, never had the urge to use it.

On Android 13, based on your specific device look up how to install a custom certificate on it and it should see cert.pem (which you should have emailed to yourself already) in your storage somewhere. I’ve read you’re supposed to be able to just tap the pem file and it will auto-install but that did not work on a Pixel or a Samsung device. I had to go into Settings and do it through the menu.

If you are on a Pixel that is running Android 14 like me then when you get the option from settings to select the cert, it will not show any pem files. I am not sure why, but I found a workaround. After you download it, open the Files app and delete it. Sounds crazy but stay with me. Then go into settings and go through the certificate settings to the point of picking the certificate. This should launch a Files-like window to select it, tap the 3 dots in the upper right and select Show Hidden Files. Then there you go, the deleted cert.pem file will be there and just tap it and it will be installed. Crazy I know but that worked on my Pixel 8 Pro.

That should be it for Android, just kill and relaunch Chrome and it should be like on your desktop and with no nag screen.

I generally hope this helps anyone who could use the help. I know it has reduced the years of numerous clicking and tapping to get passed the security alerts over the years.

John

Tools Rundown: IT-Tools Docker Image!

Leave a reply

IT-Tools docker container is a very large suite of one-off tools and utilities that you access via a web interface. It is very easy to get running in Docker via Portainer and it is also very easy to use. I see this as a utility tool for all types of people in the IT field from admins to programmers as it really covers the gamut of tools that it provides.

How to get it going in Docker on my *nix system (this works for Synology as well)

Using Compose here is the basic gist of getting it up and running in Portainer. In Portainer, add a new stack, name it what you will, and then in the editor, paste the following:

version: '3.9'
services:
    it-tools:
        image: 'corentinth/it-tools:latest'
        restart: always
        ports:
            - '5545:80'
        container_name: IT-Tools

Then click on the “Deploy Stack” button and let it do its work. You should get a message that the stack was deployed successfully once it is finished.

I honestly have no idea how to do this in Windows as that demon child of an implementation of Docker is just weird and hard to understand versus the *nix versions.

Accessing IT-Tools

Once the stack is up and running, open your browser and navigate to: http://<ipaddressofdockerhost>:5545

This should open up this page for you.

And that is all there is to it! Just click an option to open it and use it, it’s all web-based. There is literally something that everyone can use quite often in their trade I believe and it definitely worth the 10-15 minutes it takes to get it going. Just bookmark it in your browser and then you have a great go-to tool for those things that you need a converter or other utility for.

You can choose a light or dark mode, as you can see from the screenshot I have it in dark mode. You can favorite utilities and tools as well and it will pin them to the top of the page as well.

I do hope you take a few minutes and try it out. It’s just a well-thought-out app that just ticks all the marks and that is few and far between these days. You rarely come across something like this.

John