Import certificate in browser: Difference between revisions

From Proxmox VE
Jump to navigation Jump to search
mNo edit summary
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== Introduction ==
== Introduction ==
Proxmox VE uses '''https''' (SSL) for it's admin interface and it is imperative that self-signed certificates (safe when used in a trusted LAN) be accessible in MS Internet Explorer.
Some browsers, like the new standard browser Edge in Windows 10, are denying custom SSL certificates, sometimes without an option to add them. As the Proxmox VE generates unique and secure certificates to ensure the integrity of the communication between the web interface and users, this "security feature" raises some issues for Proxmox VE users. Here is a step by step manual to add CA's to your Windows system.


== The Problem ==
Browsers like Chrome or Opera relies on the Certificate Authority (CA) pool from the System, but give an option to visit the site nonetheless. Adding your Proxmox VE CA with this method gets rid of SSL security warnings permanently.
Recently, MS Internet Explorer (versions 8,9,10,11 tested) began providing the Certificate Error warning page without the '''Continue to Website''' link like:
[[File:MSIE_Cert_Error_Missing_Continue_Link.png]]


This problem surfaced on installing [https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/31.4.0esr/win32/en-US/Firefox%20Setup%2031.4.0esr.exe FireFox 31.4.0esr] (it now has a [https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/31.5.0esr/win32/en-US/Firefox%20Setup%2031.5.0esr.exe successor]). This was necessitated with Firefox 35.0.1 being erroneous and all subsequent versions including itself causing a Windows Firewall exception getting created for it and being persistent even after removal of the exception entry.
== Windows Systems ==


== Solution 1 ==
=== Extracting the Certificate ===
Follow these steps to clear the certificate error.
You find your Proxmox SSL certificate on any cluster under <code>/etc/pve/pve-root-ca.pem</code>. Copy it to the Windows machine via USB stick, Dropbox/drive/..., ssh, or your own favorite way.
* Open Internet Explorer.
* Click on Tools, Internet Options from the menu.
* Click on the Advanced tab and scroll down to the Security section.
* Clear the boxes for:
** Check for publisher’s certificate revocation
** Check for server certificate revocation.
* Click Apply and OK.
* Restart the MSIE Browser (and computer if needed) and check the issue.


Can thereafter revert the above as well and it still works! YMMV!
=== Installing the Certificate ===
On the Windows system (tested with win7 and win10) search for "Internet Options" in the start menu or the settings window.


[[File:MSIE_Cert_Errors_fix.png]]


== Solution 2 ==
Open it and select the content tab, there click the certificates button. The certificates window opens, there select the "Trusted Root Certification Authorities" Tab and click on import.
If you have '''certutil.exe''' in your '''system32''' folder (Available in the [http://www.microsoft.com/downloads/details.aspx?FamilyID=C16AE515-C8F4-47EF-A1E4-A8DCBACFF8E3&displaylang=en Win 2K3 Server Admin Pack]) then the Microsoft KB2661254 issue that raises the minimum RSA key length to 1024 can be alleviated with:
certutil -setreg chain\minRSAPubKeyBitLength 512
and uninstalled with
certutil -delreg chain\MinRsaPubKeyBitLength


For WinXP and others, the registry can be edited to possess the following entry:
[[File:Install proxmox cert 1 internet options.png|450px|center|thumb]]
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDLLCreateCertificateChainEngine\Config\
DWORD (32 bit) : MinRSAPubKeyBitLength
value : 512(decimal)


== References ==
 
* [http://serverfault.com/questions/127376/import-certificate-using-command-line-in-win-xp-home Certificate Import]
The certification import wizard starts, continue to the file import, here browse to the <code>pve-root-ca.pem</code> file which you copied from the Proxmox VE server.
* [http://blog.oracle48.nl/internet-explorer-10-continue-to-this-website-option-missing/ IE 10 Missing Continue Option]
'''Attention:''' you need to select to show "All Files" in the filter to see the Proxmox certificate. Open it and continue in the wizard until completion.
[[File:Install proxmox cert 3 selected cert.png|450px|center|thumb]]
 
A new window pops up asking if you trust the imported certificate, answer it with yes and you're finished.
 
<div style="width: 800px; height: 360px; margin: 0 auto;">
[[File:Install proxmox cert 4 finish.png|x350px]]
[[File:Install proxmox cert 5 trust screen.png|x350px]]
</div>
 
Now Edge, and also Internet Explorer can load the Proxmox VE Web Interface, indifferent whatever cluster you access it without complaints. If you manage different Proxmox VE instances you have to apply these steps also for them, as we generate an unique certificate for browser compatibility.
 
== OS X System ==
On a macOS System launch Safari and enter the address of your Proxmox VE Web Interface, don't forget to begin with " ''http'''s'''://'' ".
 
A message should pop up, informing that the identity from the site couldn't be verified. Click the "Show Certificate" button.
 
[[File:Pve cert mac os display cert file1.png|center|450px]]  
 
Check the "Always trust ''certificate name here'' ..." box and click on "Continue"
 
[[File:Pve cert mac os accept cert file2.png|center|450px]]
 
Now the certificated is white listed, also for other browser (again, Firefox is an exception as it has its own certificate pool) and you should see the Proxmox VE Web Interface.
If not, reenter your address and again, don't forget "''http'''s'''://''"!
 
== Other Browsers ==
 
=== Chrome / IE / Opera ===
 
Opera (tested version 30.0), Chrome (tested version 43) and Internet Explorer uses the system certificate pool but also gives you an option to continue to the interface, even if it is not yet added to the system. Use the steps described above to get rid of security warnings.
 
=== Firefox ===
 
Firefox uses its own build in pool of CA's and gives you the option to add an SSL CA when you load the interface (tested with version 38.0.1).


[[Category: HOWTO]]
[[Category: HOWTO]]

Latest revision as of 16:06, 1 March 2023

Introduction

Some browsers, like the new standard browser Edge in Windows 10, are denying custom SSL certificates, sometimes without an option to add them. As the Proxmox VE generates unique and secure certificates to ensure the integrity of the communication between the web interface and users, this "security feature" raises some issues for Proxmox VE users. Here is a step by step manual to add CA's to your Windows system.

Browsers like Chrome or Opera relies on the Certificate Authority (CA) pool from the System, but give an option to visit the site nonetheless. Adding your Proxmox VE CA with this method gets rid of SSL security warnings permanently.

Windows Systems

Extracting the Certificate

You find your Proxmox SSL certificate on any cluster under /etc/pve/pve-root-ca.pem. Copy it to the Windows machine via USB stick, Dropbox/drive/..., ssh, or your own favorite way.

Installing the Certificate

On the Windows system (tested with win7 and win10) search for "Internet Options" in the start menu or the settings window.


Open it and select the content tab, there click the certificates button. The certificates window opens, there select the "Trusted Root Certification Authorities" Tab and click on import.

Install proxmox cert 1 internet options.png


The certification import wizard starts, continue to the file import, here browse to the pve-root-ca.pem file which you copied from the Proxmox VE server. Attention: you need to select to show "All Files" in the filter to see the Proxmox certificate. Open it and continue in the wizard until completion.

Install proxmox cert 3 selected cert.png

A new window pops up asking if you trust the imported certificate, answer it with yes and you're finished.

Install proxmox cert 4 finish.png Install proxmox cert 5 trust screen.png

Now Edge, and also Internet Explorer can load the Proxmox VE Web Interface, indifferent whatever cluster you access it without complaints. If you manage different Proxmox VE instances you have to apply these steps also for them, as we generate an unique certificate for browser compatibility.

OS X System

On a macOS System launch Safari and enter the address of your Proxmox VE Web Interface, don't forget to begin with " https:// ".

A message should pop up, informing that the identity from the site couldn't be verified. Click the "Show Certificate" button.

Pve cert mac os display cert file1.png

Check the "Always trust certificate name here ..." box and click on "Continue"

Pve cert mac os accept cert file2.png

Now the certificated is white listed, also for other browser (again, Firefox is an exception as it has its own certificate pool) and you should see the Proxmox VE Web Interface. If not, reenter your address and again, don't forget "https://"!

Other Browsers

Chrome / IE / Opera

Opera (tested version 30.0), Chrome (tested version 43) and Internet Explorer uses the system certificate pool but also gives you an option to continue to the interface, even if it is not yet added to the system. Use the steps described above to get rid of security warnings.

Firefox

Firefox uses its own build in pool of CA's and gives you the option to add an SSL CA when you load the interface (tested with version 38.0.1).