Buy an SSL certificate for the URL of the login box?
We have recently configured a transparent proxy on our system with SSL login so guests, students etc can log onto our wireless and just input their credentials to go online. There is a slight problem though when users are directed to the SSL login page we receive a certificate error:
Server IP Address
The identify of this website has not been verified
-Servers certificate does not match the URL
- Servers certificate is not trusted
This means we get a really quite horrible untrusted box on android devices and I am concerned that users will not want to work around it. Also due to this most https sites don't load properly.
Is there a workaround for this?
Buy an SSL certificate for the URL of the login box?
however you can't buy ssl certificates for private servers any more.
Depends on the SSL cert seller. Digicert will sell them, as will Trustwave SSL, InstantSSL etc... A search for "buy intranet SSL certificate" brings up lots.
Try contacting your LEA (even if you're an academy, I believe they manage the sales for regions), they should be able organise one via JaNet. It might not be free any more, but they are relatively cheap I believe.
browolf (19th November 2013)
Buy an internet one and fudge your internal DNS
We have to do that so that our internal clients can get to our webmail server without cert warnings.
Last edited by twin--turbo; 14th November 2013 at 03:47 PM.
Are you able to give me some more information on how to do this? we buy a yearly wildcard cert from godaddy that we use on many of our https intranet sites so It makes sense that we would use this for smoothwall too as it is on the same domain that the wildcard cert uses. The thing that is confusing me is how do I get these certs into smoothwall itself or don't I? we have https inspection working on all our domain connected PCs using the certificate from smoothwall that has been imported onto all the workstations but for wireless devices It needs to just work.
on your internal DNS server add your external domain name.
then add a record for your smoothie and point it at the internal IP of the smoothie..
So say you get redirected to lanportal.myschool.org.uk
add lanportal.myschool.org.uk to your wildcard cert ( if you need to )
add the domain to your internal dns server myschool.org.uk
add an a record to that domain lanportal.myschool.org.uk - to the IP of the smoothie.
add the certificate to smothwall ( can't help you on that one )
client hits your redirect fetches DNS for lanportal.myschool.org.uk from your DNS, goes to the IP you specified.
Smoothwall sees a request for lanportal.myschool.org.uk, has a certificate that matches and the client is happy.
Yeah it does make sense thanks. I have just downloaded our wildcard cert from GoDaddy for Apache which is what I am told smoothwall uses. I asked smoothwall support to import the cert so we can use it and they are telling me I have to generate a key so that smoothwall can use it. Thing is I can't do that because its a wildcard cert so we have it applied on a few of our subdomain sites and I can't re-key it as it will break the others arghhhh why don't smoothwall just allow you through the GUI to either use their inbuilt cert or use your own how hard can it be.
I have just had a look here:
Jon Witts' Blog » Changes after a Smoothwall upgrade
I have opened /etc/httpd and found 3 files on the smoothie box server.crt server.key and server.csr now I am presuming that server.crt is the certificate you receive on the https inspection policies when you click on export guardian certificate (correct me if I'm wrong) as we want to use our wildcard ssl certificate it has already been signed to *.ourdomain.sch.uk our smoothwall box is smoothwall.ourdomain.sch.uk so could I not simply replace the crt with our wildcard one? smoothwall are saying I need to create a csr and send it to godaddy to then receive a new .key file and a new .crt file but surely I don't need these with it being a wildcard do I?
The crt file is generated and signed against the key and csr file. In this case the three files you have found have all been generated by the Smoothwall box using OpenSSL; hence why they are know as a self-signed cert.
For Apache to serve your wildcard SSL certificate for your Smoothwall box, you would need the matching .key and .csr files for your wildcard crt file. These would also most likely need to have been generated by OpenSSL for them to work on your Apache / Smoothwall box. If they were generated on a Windows box, then I believe they will not transfer (although I am willing to stand corrected on this one!) and you will need to purchase a new certificate for your Apache / OpenSSL/ Smoothwall server... They are not very expensive ;-)
Even if you install a real world signed SSL certificate; the HTTPS inspection is still handled by the self-signed Smoothwall cert. This is because it needs to have the full Certificate Authority to be able to perform the HTTPS Man in the Middle inspection. The SSL certs my blog post is talking about is for the SSL Login and Admin web pages...
Thanks for your response. I have purchased a new SSL certificate and will be able to key this for use with Apache. It is the SSL login bit I am after sorting anyway because it just doesn't look good for guests if they just get a certificate error on the SSL login page. How do I go about generating a CSR with smoothwall for this new cert?
I'm having trouble with the Godaddy certificate now, I have submitted the CSR that I generated with smoothwall and then chose a whois for godaddy to verify and this is the email I received back:
We have received a Certificate Signing Request for the domain: smoothwall.etc.etc
We were unable to retrieve an email address for the domain name Registrant or Administrative Contact. It appears your WHOIS record does not present valid or public email address contacts or has private registration in place.
Please use one of the following alternative methods to facilitate the validation of your domain access control. Your unique ID for these methods is "".
1. If you are able to make Domain Name Zone changes, you can use the Domain Zone Control validation process. Domain Zone Control instructions
2. If you are able to store a web page in the root of your hosting account, you can use the Domain Website Control validation process and this HTML file to validate the domain name control for your SSL. Website Control instructions
When finished, log into your account and select your pending request. In the "Request Progress" section, click the "What's the hold up?" link. Complete the validation process by clicking the link for your selected method. A status message will indicate success or failure. Please allow a few minutes for the status of your request to be updated.
Does this mean my smoothwall box needs to be visible from the outside to do this? if so which ports do I need open as I don't want to open up everything to the outside world.
Sounds like they are just trying to verify you as the owner of the domain name you used fro your smoothwall. What was the .etc.etc you used in your CSR? Is it a real world domain name?
There are currently 1 users browsing this thread. (0 members and 1 guests)