Code Quality Coach

SSL Certificate for my fritz box

I created my own CA with intermediate CA to provide valid, not self-signed certificates for several services at home. One service is my fritz box which supports https with a built-in certificate.

Certificate Creation

There are a few things to follow to create a proper certificate.

1st: Include the SAN (Subject Alternative Names) „fritz.box“, which is the URL I use in my browser. I do this using a config file.

[ req ]
req_extensions              = req_ext

[ req_ext ]
subjectAltName              = @alt_names
 
[ alt_names ]
DNS.1 = fritz.box

2nd: Make sure the SAN is included in the certificate after signing. The easiest (but dangerous way) is to use the configuration setting `copy_extensions = copy`.

3rd: Create a certificate with the entire chain up. The order is important so first the fritz box certificate, then the intermediate CA and at the end for completeness the root CA. As the certificate does not contain the certificate of the issuer, this is required.

Important: You need to trust the root CA in your „Trusted Root Certification Authorities“ (Windows). If the root CA is trustworthy, all certificated and certificate chains issued by this CA are trusted.

Sidenote: Yes, there is a mechanism of marking certificated as „not trusted any longer“, see CRL and OCSP.

Wait, certificate not trusted in Windows?

Don’t be confused as Windows does not like multi-certificate files. It works in your browser but Windows just ignores the intermediate CA in our joined certificate. In case you would like to have this working on your machine, add the intermediate CA to your „Intermediate Certification Authorities“.

Configure the fritz box

Before adding the certificate to the fritz box, there is one important thing: For encrypted data transfer, the decrypting authority, in this case, the fritz box web server requires the private key.

4th: Add the (encrypted) private key to the certificate. This can be done by simply adding this at the end of the joined certificate. A .pfx file, this does not work.

The configuration setting for the certificate is hidden somewhere in „Internet ->Access->FRITZ!Box Services“. In case the private key is encrypted, provide the password as well.

Posted

in

,

Kommentare

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert