Safari and Self-Signed Certificates

[haravikk]

Is anyone else experiencing problems using self-signed certificates with Safari on macOS 10.13.4?

I have a NAS on my local network, so am just using a self-signed certificate for nas.local, a network only domain. This has always been fine in the past, as all I have to do is tell macOS to trust the certificate for SSL signing and everything works fine.

However, as of 10.13.4 this no longer works; Safari will ask for a password to update keychain settings, but then gives the same error about the certificate being invalid.

Could this have anything to do with the self-signed certificate having a SHA-1 signature? It also has a SHA-256 signature as well, but I can't figure out how to create one without also having the SHA-1 signature present.

I'd appreciate any workaround that anyone has found; for the time being I'm accessing the device using FireFox, but I'd prefer not to have to.

 

[techwarrior]

Try Firefox or Chrome, download the certificate to your Mac and add it to keychain as trusted.

I have been experiencing a lot of issues with certs. Seems the .local, and any domains you have in your DNS Search domains should be given a little leeway with browser security. At least allow you to override and accept the self signed certificates. While this would not be safe for unknown domains, anything in your search list or accessible with a .local address could arguably be viewed as known hosts and thus less strict handling would seem to be in order.

You could always use your Mac as a CA. Use the Mac to generate certificates for your NAS and anything else you want secure links to. You will have to distribute the CA to anyone else who needs access to your services, but that should be pretty limited. Once the CA is created, certificates issued by your Mac will inherently be trusted. You can even use your Mac to generate S/MIME email certificates for sending secure emails, provided you share your CA and public key with those you will do secure emails with.

https://www.techrepublic.com/blog/a...reate-your-own-ssl-ca-with-the-os-x-keychain/

 

[haravikk]

You could always use your Mac as a CA.

Ah, didn't even think of trying that; as luck has it I already setup my own root CA and intermediate CA for creating easy to renew S/MIME certificates, so I used that to create one for my NAS as well, since the root is already trusted.

For some reason Keychain Access is not at all happy about it (it marks the intermediate CA as valid, but considers everything below that invalid and refuses to evaluate them), but fortunately Safari, Mail, Calendar etc. accept them just fine.

Any ideas why Keychain Access doesn't like them, or should I just ignore that? For some reason when I right click and choose evaluate it just refuses to find the intermediate or root certificate for them, even though the intermediate is clearly identified in the correct fields. openssl verify seems happy with them though.

 

[techwarrior]

Did you import the chain (CA + Intermediate CA)? Or separately?

 

[haravikk]

Importing a combined chain .pem file seemed to only add the intermediate certificate only, I still had to add the root separately, which I then moved to system so that it would be treated properly as a trusted root (having it in login and set to always trust didn't seem to be enough).

Like I say, they seem to validate just fine in Calendar and Safari at least (Mail is still choking on S/MIME/signing certificates from time to time, but then that's just normal behaviour for Mail in my experience). And they validate correctly in openssl, so it seems to just be Keychain Access that's being weird about it for some reason.

I've attached some screenshots showing the Subject Key Identifiers and Authority Key Identifiers; as you can see they trace back correctly, which I believe is what Keychain Access is supposed to follow. It does this for the Intermediate CA certificate, but not for any issued using it, which is odd. Clearly they're valid or they wouldn't work anywhere else, but Keychain Access doesn't seem to want to see it for some reason.