SSL for company internal services

If you are using SSL in the wild you’ll probably generate your certificate on and all is pretty much taken care of.

But what if you have an internal HAProxy serving requests on the 192.168.x.x scope? Or you have an internal Spring Boot webapp that you also want to secure? As the servers will not be accessible by the outside world, you will not be able to generate a certificate for them. Don’t let that stop you. It’s trivial to generate your own certificates and install them in company resources including iOS devices.

The suggested path is to create an internal Certificate Authority (CA) and add that source of trust to all the machines that will be accessing the services secured.

Bird’s eye view of the process:

Authority: will act as the source of trust for all certificates you sign. You will have to install the Authority on every single machine/phone you’ll want.

  1. Generate a private key for a Certificate Authority (CA)
  2. Generate a Certificate for the Certificate Authority (CA)
  3. Install Certificate Authority on Windows
  4. Install Certificate Authority on iOS

Client: we can issue private keys for all our projects inside our network. Those private keys will be validated by our own generated and installed authority.

  1. Generate a private key for the client
  2. Generate a Certificate Sign Request (CSR)
  3. Have CA sign the CSR thus generating the client Certificate
  4. Merge the client certificate and the CA certificate into a pkcs12 file which is read by Spring

Install OpenSSL

First things first, install OpenSSL. If you are on a Linux machine you can use the distro repository and do something like apt-get install openssl but if you are on windows things are a little trickier. OpenSSL states on their Wiki the following binary distributions by third parties. It’s always a risk to install software from sources you don’t trust, and you could compile OpenSSL on your machine, but I personally used

You can then just unzip the files into any folder and use the openssl.exe from there.

You must also create a configuration file, can be called openssl.cnf. In it’s most basic form it can take just the following variables:

Generate Certificate Authority

We start by generating a private key for the authority:

And we then generate two certificates. Notice that the config value should point to wherever you placed your openssl.cnf file. Also notice that we used 1825 days, 5 year as it’s a round number. Any other value will do. But on certificates Apple enforces tighter limits which we cover bellow.

You now have three files. The ca_key.key (private key) and the ca_cert.pem and ca_cert.crt which are the certificate files for your certificate authority.

Install on Windows: Click the ca_cert.crt file on Windows and follow screen instructions. Then click Start -> Run -> certmgr.msc. It will open the Windows Certificate Manager. You will find the certificate you installed under “Intermediate Certification Authorities”. You’ll want to drag that file to “Trusted Root Certification Authorities”. This can be done as a non admin user.

Install on iOS: Email the ca_key.pem file to yourself. Open the email on iOS using the Apple Mail App. Follow the instructions and certificate will be installed. To uninstall you can go to Settings -> General -> Profile. After proper installation iOS requires a second step for you to trust the certificate, you must go to Settings -> General -> About -> Certificate Trust Settings and Enable Full Trust For Root Certificate.

Done. That’s all there is about generating a proper local CA.

Generate Certificates for services

Start by generating a private key for the service/site/etc.

Generate a CSR (Certificate Sign Request):

Now that we have the website key and the certificate sign request we need to create an external file with the names/ip’s for which such certificate will be valid. Create a file called service1_config.ext with the following info:

Now we’ll use the CA certificate and private key together with the CSR (Certificate Sign Request) and the config file to generate a proper certificate for the website. Since iOS 13 Apple only allows a max of 825 days on certificates so that’s what we’ll use, also notice that Apple just recently announced that limit going down to 398 days so you may need to adjust accordingly depending on when you read this.

You’ll now have the following files:

The one that matters, since CA Authority is already installed in all the devices is the certificate service1.crt.

Spring Boot or HAProxy

Spring Boot uses PKC12 files.
HAProxy uses pem files.

Let’s create both those files:

Spring Boot – edit and insert something like this:

HAProxy – edit config file and insert something like this:

And that’s it, SSL for internal projects without the warning “this site is insecure” or “certificate not valid” error messages.

Things that may be useful:

Remove password from private key:
If you’re planing on running some services, like HTCondor, you may need to have private decrypted keys. This can easily be achieved by running:

Inspect Private Keys, CSR’s, CRT’s and PKCS’s:
At any point you may need to inspect any of these. Commands below:

Leave a Reply

Your email address will not be published. Required fields are marked *