Self Signed Certificate on local network - works with Chrome, Iphone and Android


#1

I installed bitwarden on my local network linux server, without a FQDN, so i had to use my ip adress (192.168.178.55).
I did not want the server to be availabe in internet for security reasons. If i need to write new entrys in bitwarden, i simple connect with VPN.

I tried many hours to get a self signed ssl certificate working that is accepted for Chrome, Iphone, Android and the Desktop App (which is based on Chromium).

Luckly i found the solution.

You have to create a rootCA certifate and import that file to Chrome, Iphone and Android.
For the bitwarden server you use a self signed certifcate, which is signed by your own root cert.

Here is what I’ve done:

Create CA key and cert

openssl genrsa -out server_rootCA.key 2048
openssl req -x509 -new -nodes -key server_rootCA.key -sha256 -days 3650 -out server_rootCA.pem

Create server_rootCA.csr.cnf

[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn

[dn]
C=DE
ST=Bavaria
L=Munich
O=MyStreet
OU=local_RootCA
emailAddress=.
CN = 192.168.178.55

Create v3.ext configuration file

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
IP = 192.168.178.55

Create server key

openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <( cat server_rootCA.csr.cnf )

Create server cert

openssl x509 -req -in server.csr -CA server_rootCA.pem -CAkey server_rootCA.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile v3.ext

Rename server.key to private.key
Rename server.crt to certificate.crt
Copy the 2 files to ./bwdata/ssl/192.168.178.55
restart bitwarden server

Add cert to the chrome
Chromium -> Setting -> (Advanced) Manage Certificates -> Import -> ‘server_rootCA.pem’ and restart Chrome.

Iphone
Add cert to iphone by email, open it and press the install button.
Open Settings. Select Certificate Trust Settings. Enable full trust For Root Certificates. Users can toggle on/off trust for each root.

Android
Add cert to iphone by email, open it and install it

That’s all, have fun.


#2

Hi. I was looking for the correct way to create a self-signed cert that would work in Chrome (Mac), iOS, and Android, and thought this was it! However, the instructions didn’t work for either iOS or Android, at least for me. The iOS install required both the server.crt and the server_rootCA.pem for both Profiles to show as “Verified” in green, but there was no option under Settings / About to turn it on. For Android, I wasn’t sure which cert to install, so I tried them both one-at-a-time and together. They both appeared under “User credentials”, but neither appeared under “Trusted Credentials / User” in Settings which is needed for networkSecurityConfig to work. Any ideas?


#3

Hi, for iOS you only need “server_rootCA.pem”. You have to enable full trust in “Certificate Trust Settings” in iOS settings. That’s all.