andybalholm / redwood

Web content filter that runs as an HTTP proxy
BSD 2-Clause "Simplified" License
225 stars 37 forks source link

The right way to test if the certificate is installed on the client device. #69

Open elico opened 3 years ago

elico commented 3 years ago

I have created very long ago a test page to test if the certificate is installed on the client browser/pc/device. A production setup is at: https://cert.rimon.net.il/

The sources are at: https://github.com/elico/ca-cert-test-page

The basic concept is to have a wildcard subdomain for testing and direct all traffic towards this specific host. The JavaScript will generate random domain names on each page load so the certificate root CA will be tested.

I want to be able to do the same thing with RedWood. The basic issue is that RedWood needs to generate a certificate with wildcard SAN for a specific domain and it's wildcards.

I was thinking about defining a domain in RedWood conf that will be used for these testing. From RedWood side it needs to know that for a specific domain and it's subdomains it will use a specific certificate compared trying to check what is the certificate.

The other option is to generate the certificate and install it on the port 443 of the RedWood locally.

andybalholm commented 3 years ago

I don't see any reason why this test page needs to be served by Redwood. It might as well be a separate process serving port 443. (Unless I'm missing something.)

elico commented 3 years ago

@andybalholm There is no real reason for it to be served from RedWood. The issue is the wildcard certificate issuing. I will try to see how to do it in the next hour via a simple bash script. The main issue is the serial number of the certificate.

elico commented 3 years ago

@andybalholm I came up with the next script: https://gist.github.com/elico/c319cadb7c5181468e3d9824520e5916 (EDIT: Fixed the script, tested and working now.)

It creates a certificate for a domain and it's wildcard subdomain. The main thing to consider is that the actual web server should have a valid certificate and only the subdomain should have a certificate singed from the RedWood RootCA.