Create and Import the CA Certificate

Jack Yaz edited this page May 27, 2018 · 14 revisions

Generate your Pixelserv CA cert

pixelserv-tls requires a CA cert to serve requests over HTTPS. Assume OpenSSL already installed in your system.

Standard Linux systems

  • sudo mkdir -p /var/cache/pixelserv
  • cd /var/cache/pixelserv
  • sudo openssl genrsa -out ca.key 1024
  • sudo openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA"
  • sudo chown -R nobody /var/cache/pixelserv

Entware

  • mkdir -p /opt/var/cache/pixelserv
  • cd /opt/var/cache/pixelserv
  • openssl genrsa -out ca.key 1024
  • openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA"
  • chown -R nobody /opt/var/cache/pixelserv

This creates a CA cert with 1024-bit key strength valid for ten years. Let's call it your Pixelserv CA cert, unique to and solely owned by you. Only you possess the private key as stored in ca.key.

CAUTION

You may want to backup ca.crt and ca.key. This will save you from generating and importing a new CA cert on client devices in the event that the original CA cert files in /opt/var/cache/pixelserv are damaged.

Import Pixelserv CA on client devices

Importing your CA cert on clients is not mandatory but recommended. Your Pixelserv CA cert is available through URL http://pixelserv ip/ca.crt. Make sure you replace pixelserv ip with the actual IP address of pixelserv.

iOS/Android

The following procedure will import your CA cert and trust it system wide.

  • Open Safari/Chrome. Visit http://pixelserv ip/ca.crt. Make sure you replace pixelserv ip with the actual IP address of pixelserv.
  • Follow the prompt to finish the installation.

CAUTION

Since iOS 10.3, a user-installed CA cert requires enabling trust explicitly.

  • Go to Settings > General About > Certificate Trust Settings.
  • Under Enable full trust for root certificates, turn on trust for Pixelserv CA.

This tip is provided by @jrmwvu04 on snbforums.

Firefox

Firefox manages its own root CA certificates. The import procedure is same on all platforms.

  1. Open your browser and visit http://pixelserv ip/ca.crt. Make sure you replace pixelserv ip with the actual IP address of pixelserv.
  2. Select "Trust this CA to identify websites" on the screen pop-up.
  3. Click "Ok"

macOS: Safari/Chrome

The following procedure will import your CA cert and trust it system wide.

  1. Open Safari/Chrome. Visit http://pixelserv ip/ca.crt. Make sure you replace pixelserv ip with the actual IP address of pixelserv.
  2. Find the downloaded file, ca.crt.
  3. Double click on `ca.crt' to start Keychain's import wizard.
  4. Select keychain "system" and click "Add".
  5. Open Keychain Access and select keychain "System".
  6. Locate "Pixelserv CA" and double click to the CA cert.
  7. Expand "Trust" and select "Always Trust" for "When using this certificate"
  8. Close the window to finish setting update.

Restart your browser to take effect.

Windows: Chrome/Edge/IE

The follow procedure will import your CA cert and trust it system wide.

  1. Open your browser. Visit http://pixelserv ip/ca.crt. Make sure you replace pixelserv ip with the actual IP address of pixelserv.
  2. Find the downloaded file, ca.crt.
  3. Double click on `ca.crt' to view the certificate.
  4. Click "Install Certificate.." and select "Local Machine".
  5. Click "Place all certificate in the following store" on next screen.
  6. Click "Browse..." and select "Trusted Root Certification Authorities".
  7. Click "Next" and then "Finish" on next screen.

Restart browser to take effect.

If the above steps do not work for you, please follow this Windows guide to use MMC for import.

Others

You may follow this guide for ChromeOS, and this one for Linux in general.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.