[ previous ] [ next ] [ threads ]
 
 From:  "Michael A. Alderete" <lists dash 2003 at alderete dot com>
 To:  "Adam Nellemann" <adam at nellemann dot nu>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] SSL keys?
 Date:  Tue, 27 Jan 2004 20:45:52 -0800
>I would like to use the https feature of the m0n0wall GUI (and later on
>possibly IPSec as well).
>
>Do I need to enter something in the Advanced/webGUI SSL certificate/key
>boxes in order to be able to access the webGUI after enabling https?

No, it will Just Work. However, you will get a message from your browser
saying that the identity of the web site could not be verified, because the
web site's certificate was signed by an unknown certifying authority. I.e.,
maybe someone is spoofing the web site.

I haven't figured out how to make this go away.


>How might I go around making a set of keys for this and/or for IPSec?
>
>I don't have any *nix box available, so I'd either need a win32
>key-generator program (couldn't find any win32 binaries for OpenSSL at
>its site, also it seemed like I'd need to have a webserver running to
>use this, which I'd prefer to avoid.)

Details about this can be found in the archive (I searched for
"certificate", this was the top answer):

<http://m0n0.ch/wall/list/?action=show_msg&actionargs[]=5&actionargs[]=49>

>From: Manuel Kasper
>Subject: Update: SSL, IPsec tunnels
>Date: Tue, 9 Sep 2003 21:51:36 +0200 (CEST)
>
>A new pre-release image is out:
>
>[...]
>
>- replaced thttpd by mini_httpd --> HTTPS support! Mode can be selected on
>the System: General setup page, and a custom certificate/private key can
>be submitted on the Diagnostics: Advanced page.
>
>[...]
>
>To generate a custom certificate:
>
>openssl req -new -nodes > cert.csr
>openssl x509 -in cert.csr -out cert.pem -req -signkey privkey.pem -days 365
>
>The certificate can then be found in cert.pem and the private key in
>privkey.pem. cert.csr is not needed anymore.

You then copy / paste these two files into the appropriate form fields of
the Advanced configuration pane of the m0n0wall webGUI. Save, and then
reboot.

Again, doing this won't make your web browser's "identify" problem go away
(at least, it didn't on my system). So, I'm not sure what the value of
going through the exercise is. Perhaps someone more of a crypto expert can
help there...

HTH.

Michael
-- 

_____________________________________________________________
Michael A. Alderete           <mailto:lists dash 2003 at alderete dot com>
                                     <http://www.alderete.com>