Topic: Wondering how to get rid of the not secure message

[wesman00]

I'm using XAMPP to host apache on my main computer. I downloaded a webpage through a GitHub project and moved the files inside of it into the htdocs so it would show up when I went to localhost. I'm also running a Virtual Machine on the same computer and going to localhost does not show the apache page I am hosting. I solved this by going to the host computer's local IP address. I edited the windows host file so that when I put lrjenkins.bank into the address bar, it should go to my local IP address instead of 127.0.0.1. In the address bar, it shows that my connection is not secure. I plan to use this locally hosted site to mimic a fake bank to waste scammers' time when I let them connect to my virtual machine and log into my fake bank using fake login info (the password has to be hunter2 lol) to show fake money. If I put the host computer's local IP into the address bar then I am able to see the page and log in and everything, but seeing a string of numbers when I'm "logging into my bank" instead of lrjenkins.bank is not convincing and having not secure in the address bar is also a red flag. https://shellcreeper.com/how-to-create-valid-ssl-in-localhost-for-xampp/ I followed this tutorial to make a certificate and trust it in windows settings on my host just to verify that it works, and after following the guide and changing site.test to lrjenkins.bank everywhere I saw it and then trusting the certificate, but I got the error in chrome that tells me that the site is using HSTS and I have to type "thisisunsafe" to get the site to show and it still says not secure in the top so this tutorial made the problem worse. I reverted to the backup before I followed the tutorial and I still can't figure out how to make an SSL certificate that shows that my connection is secure. If at all possible, I would love to have the lock display that the certificate is issued to LR Jenkins Financial Group, exactly how the certificate for github.com works.

[mraddi]

Hello,

I followed the instructions at https://raymii.org/s/tutorials/OpenSSL_command_line_Root_and_Intermediate_CA_including_OCSP_CRL%20and_revocation.html to create a Root-CA, an Intermediate-CA and a Server-certificate (maybe it is an overkill creating a complete certificate-chain but using this approach is similar to the certificates used "out there").
I always used "LRJenkins Bank" as organization and for organizational unit I used "Security Team" for the root-CA and the intermediate-CA and "Online Bankin" for the server-certificate.

In paragraph "Configuring the Intermediate CA 1" I used the follwing snippet in "ca.conf"

[wesman00]

I appreciate the reply so much and I can't thank you enough. My only question is that since this is done using bash, would I be able to follow the instructions at the link you sent on my Windows machine which hosts the VM and the Apache with XAMPP server? I have the Linux subsystem for Windows installed so it may work using that but I know regular cmd in Windows doesn't use bash. I also have access to a Mac and a Debian system so I think maybe I could generate the certificates on those then just copy them over to my Windows machine. Would this be okay?

[mraddi]

Hello,

creating the certificates on Mac or Debian (or any other Linux) and then copying them to the Windows-machine is fine.
If you look for it there is also OpenSSL for Windows available - but finding up-to-date compiled Windows-versions is not as easy as simply using the Linux-based machines you already have available

Best regards
Matthias

[wesman00]

Ok I'll use my linux machine because it has a lot of utilities already installed. My last question that I had not thought of yet is should I change the part where you put 127.0.0.1 to the internal IP of my host system? This is required to get the webpage to show up on my virtual machine. When I go to 127.0.0.1 on my VM, it says the page does not load. I need to instead go to 10.70.65.146 if I want data to load. I then edited my Windows host file to say

[mraddi]

Hello,

I've added the 127.0.0.1 to the list to also be able to connect to the webserver using this IP and also have a "closed lock" in my browser's address bar.
You can ommit this line in the config or replace it with any other data suitable for your environment.
The real important thing is that the hostname you will normally use in your browser is also in this list.

Greetings
Matthias

[wesman00]

Ok I've run into a slight problem. When I run

[wesman00]

Whoops I found the issue I had just misconfigured ca.conf so the entire tutorial is correct up until creating end user certificates where I stopped. I couldn't find the part of the tutorial where you made a server-certificate and used online banking, but I successfully created and signed a root-CA and an intermediate-CA which I'm almost 100% sure will work when it is on the machine hosting the apache server. I am hesitant to try yet though because I don't know if it will mess anything up before creating the server certificate.

[wesman00]

I just realized I hadn't looked at the tutorial carefully enough so ignore my previous 2 replies since I'm past those issues now, but at this point I made the enduser certificates specific for lrjenkins.bank after following the tutorial for the root-CA and intermediate-CA certificates completely correctly. I made all of them on my Linux machine and now I'm unsure of where each certificate needs to go. I have left the intermediate-CA and root-CA files on my linux machine but copied the enduser-certificates directory over to my Windows machine which is hosting XAMPP. I have files called enduserlrjenkins.bank.crt (located in XAMPP\apache\conf\ssl.crt) and enduser-lrjenkins.bank.key (located in XAMPP\apache\conf\ssl.key). I also have the .chain file and the .csr file but I don't know where those go. I also can't find a line in my Apache conf file where it says SSLCertificateFile or SSLCertificateKeyFile. Do I need to add these lines with the directories of each file after? Or do I need to find an existing line in one of the conf files with SSLCertificateFile and SSLCertificateKeyFile and change the directories those files are in. If yes to either of these questions, do you know what the conf file should be called? I'm thinking it's httpd-ssl.conf, but I'm unsure.

[mraddi]

Hello Wesley,

here is the complete output my Linux-Box when doing the mentioned tutorial. Yes, there are some errors/warnings, but it doesn't matter - the result was working fine for me. In addition I have added some bash-comments which ca.conf to use and what to modify. Maybe it is a bit clearer now?

Admin note: Moved output to https://apaste.info/cXQe

Best regards
Matthias

[wesman00]

Thank you so much for your paste, I'm following every single line you have word-for-word, except for when I get to the part on line 95 where it says

[wesman00]

Ok, last question. For the files in enduser-certs, all of them get sent to the user except for the .csr file and a copy of each stays on the server. My question is where do the ones on the server go in my Apache installation? I'm using XAMPP which has Apache bundled in and I'm pretty sure the configuration is the same except a couple of directories like htdocs are different but I have those working the way they need to be. Then once each file is where it needs to be on the server, what should I do with the other files that I will be putting on the VM which will be going to the website?
I'm sorry for asking so many questions, but I've had struggles with OpenSSL on my actual server and trying to get certificates for the open-source FileBrowser service, Cockpit, and Plex and my experience with those wasn't fun given how much extra configuration each service needed on top of using certbot which is as easy as it gets. I still haven't figured out how to get an SSL certificate for Plex on my website but I'll work on that when I'm finished with this project.

[mraddi]

Hello,

on the client you need to install the public-keys (.crt) from your root-ca and the intermediate-ca into your browser as trusted Certificate Authorities - otherwise your browser will complain about the certificate being from an unknown/untrusted CA.
On your webserver you need the public-key (.crt), the private-key (.key) and the chain-file (lrjenkins.bank.chain) from the enduser-certs-directory.

@admin: sorry for putting that looong content into this formum and thank you for moving it to apaste.bin

Best regards
Matthias

[admin]

@mraddi

No problem, I think others can learn from the content.

Thanks for helping.