Self Signed Certificate on local network - works with Chrome, Iphone and Android

mgl · October 19, 2018, 9:59pm

I installed bitwarden on my local network linux server, without a FQDN, so i had to use my ip adress (192.168.178.55).
I did not want the server to be availabe in internet for security reasons. If i need to write new entrys in bitwarden, i simple connect with VPN.

I tried many hours to get a self signed ssl certificate working that is accepted for Chrome, Iphone, Android and the Desktop App (which is based on Chromium).

Luckly i found the solution.

You have to create a rootCA certifate and import that file to Chrome, Iphone and Android.
For the bitwarden server you use a self signed certifcate, which is signed by your own root cert.

Here is what I’ve done:

Create CA key and cert

openssl genrsa -out server_rootCA.key 2048
openssl req -x509 -new -nodes -key server_rootCA.key -sha256 -days 3650 -out server_rootCA.pem

Create server_rootCA.csr.cnf

[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn

[dn]
C=DE
ST=Bavaria
L=Munich
O=MyStreet
OU=local_RootCA
emailAddress=.
CN = 192.168.178.55

Create v3.ext configuration file

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
IP = 192.168.178.55

Create server key

openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <( cat server_rootCA.csr.cnf )

Create server cert

openssl x509 -req -in server.csr -CA server_rootCA.pem -CAkey server_rootCA.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile v3.ext

Rename server.key to private.key
Rename server.crt to certificate.crt
Copy the 2 files to ./bwdata/ssl/192.168.178.55
restart bitwarden server

Add cert to the chrome
Chromium → Setting → (Advanced) Manage Certificates → Import → ‘server_rootCA.pem’ and restart Chrome.

Iphone
Add cert to iphone by email, open it and press the install button.
Open Settings. Select Certificate Trust Settings. Enable full trust For Root Certificates. Users can toggle on/off trust for each root.

Android
Add cert to iphone by email, open it and install it

That’s all, have fun.

Scotty · August 20, 2019, 1:06am

Hi. I was looking for the correct way to create a self-signed cert that would work in Chrome (Mac), iOS, and Android, and thought this was it! However, the instructions didn’t work for either iOS or Android, at least for me. The iOS install required both the server.crt and the server_rootCA.pem for both Profiles to show as “Verified” in green, but there was no option under Settings / About to turn it on. For Android, I wasn’t sure which cert to install, so I tried them both one-at-a-time and together. They both appeared under “User credentials”, but neither appeared under “Trusted Credentials / User” in Settings which is needed for networkSecurityConfig to work. Any ideas?

mgl · September 3, 2019, 4:58am

Hi, for iOS you only need “server_rootCA.pem”. You have to enable full trust in “Certificate Trust Settings” in iOS settings. That’s all.

sprint95 · February 19, 2020, 6:36pm

Hi Guys,

I found these explanation after my request on the forum, sorry for that.
Anyway, I did all the stuff, I also installed on my iPAD the server_rootCA.pem, I can see verified on it when checking in profil, anyway impossible to connect with the Bitwarden application. Credentials are good, I checked hundred times.
Is there something to do ? I’m stuck close to the end.
Thank you for support
Thierry

mgl · February 22, 2020, 8:20am

Try to change -days 3650 to -days 365and generate a new cert. IOS changed the policy of certs, i think max is now 2 years.

Dubz · February 22, 2020, 10:03am

This is a standard for SSL, not anything with Apple specifically.

An alternative approach is to deploy LetsEncrypt on the server to automate renewals and use a legitimate domain. If you use the DNS challenge, you can use domains that point to an IP in the private RFC1918 space without issue.

I suggest this primarily because now you are not relying on installing root CAs on client devices to get around it, and it’s free to use. Just need a domain and patience to set it up. Better in the long run, less to maintain (meaning you won’t need to renew it and root CAs on client devices in the future if it’s fully automated properly).

StarGeneral · May 22, 2022, 9:13am

I can confirm that this tutorial is still working with the latest versions of Bitwarden server and application. Thank you very much for that solution!

Please note the following:

openssl req -x509 -new -nodes -key server_rootCA.key -sha256 -days 3650 -out server_rootCA.pem

the days parameter should be 365 (not 3650) days maximum, otherwise chrome won’t accept it

openssl x509 -req -in server.csr -CA server_rootCA.pem -CAkey server_rootCA.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile v3.ext

it has to be “-x509” here (minus-sign is missind) and “req” without minus
days should again be 365 maximum

Make sure to edit your Bitwarden configuration file to point to the new certificates and keep in mind that the paths mentioned in this file are mapped into the docker-containers.

johntomdoe · October 14, 2022, 7:17pm

Thanks for posting a potential solution to a really annoying problem. Just wanted to share that I didn’t get it to work using the steps posted. Certificates generated without issues (with the exception that one of the commands required root privileges - sudo not enough), but in the end, same error message as always in the app.

In case somebody runs into this facing the same issue, eventually ended up generating a Lets Encrypt Certificate (als also suggested above, for those afraid to use certbot, many webhosters will let you download Lets Encrypt certificates generated for a subdomain) and redirected the domain locally using pi-hole.

Still think Bitwarden could make this somewhat more accessible, but maybe there are reasons not to I fail to understand.