Self Signed Certificate on local network - works with Chrome, Iphone and Android

I installed bitwarden on my local network linux server, without a FQDN, so i had to use my ip adress (192.168.178.55).
I did not want the server to be availabe in internet for security reasons. If i need to write new entrys in bitwarden, i simple connect with VPN.

I tried many hours to get a self signed ssl certificate working that is accepted for Chrome, Iphone, Android and the Desktop App (which is based on Chromium).

Luckly i found the solution.

You have to create a rootCA certifate and import that file to Chrome, Iphone and Android.
For the bitwarden server you use a self signed certifcate, which is signed by your own root cert.

Here is what I’ve done:

Create CA key and cert

openssl genrsa -out server_rootCA.key 2048
openssl req -x509 -new -nodes -key server_rootCA.key -sha256 -days 3650 -out server_rootCA.pem

Create server_rootCA.csr.cnf

[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn

[dn]
C=DE
ST=Bavaria
L=Munich
O=MyStreet
OU=local_RootCA
emailAddress=.
CN = 192.168.178.55

Create v3.ext configuration file

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
IP = 192.168.178.55

Create server key

openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <( cat server_rootCA.csr.cnf )

Create server cert

openssl x509 -req -in server.csr -CA server_rootCA.pem -CAkey server_rootCA.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile v3.ext

Rename server.key to private.key
Rename server.crt to certificate.crt
Copy the 2 files to ./bwdata/ssl/192.168.178.55
restart bitwarden server

Add cert to the chrome
Chromium -> Setting -> (Advanced) Manage Certificates -> Import -> ‘server_rootCA.pem’ and restart Chrome.

Iphone
Add cert to iphone by email, open it and press the install button.
Open Settings. Select Certificate Trust Settings. Enable full trust For Root Certificates. Users can toggle on/off trust for each root.

Android
Add cert to iphone by email, open it and install it

That’s all, have fun.

Hi. I was looking for the correct way to create a self-signed cert that would work in Chrome (Mac), iOS, and Android, and thought this was it! However, the instructions didn’t work for either iOS or Android, at least for me. The iOS install required both the server.crt and the server_rootCA.pem for both Profiles to show as “Verified” in green, but there was no option under Settings / About to turn it on. For Android, I wasn’t sure which cert to install, so I tried them both one-at-a-time and together. They both appeared under “User credentials”, but neither appeared under “Trusted Credentials / User” in Settings which is needed for networkSecurityConfig to work. Any ideas?

Hi, for iOS you only need “server_rootCA.pem”. You have to enable full trust in “Certificate Trust Settings” in iOS settings. That’s all.

Hi Guys,

I found these explanation after my request on the forum, sorry for that.
Anyway, I did all the stuff, I also installed on my iPAD the server_rootCA.pem, I can see verified on it when checking in profil, anyway impossible to connect with the Bitwarden application. Credentials are good, I checked hundred times.
Is there something to do ? I’m stuck close to the end.
Thank you for support
Thierry

Try to change -days 3650 to -days 365and generate a new cert. IOS changed the policy of certs, i think max is now 2 years.

This is a standard for SSL, not anything with Apple specifically.

An alternative approach is to deploy LetsEncrypt on the server to automate renewals and use a legitimate domain. If you use the DNS challenge, you can use domains that point to an IP in the private RFC1918 space without issue.

I suggest this primarily because now you are not relying on installing root CAs on client devices to get around it, and it’s free to use. Just need a domain and patience to set it up. Better in the long run, less to maintain (meaning you won’t need to renew it and root CAs on client devices in the future if it’s fully automated properly).

I can confirm that this tutorial is still working with the latest versions of Bitwarden server and application. Thank you very much for that solution!

Please note the following:

openssl req -x509 -new -nodes -key server_rootCA.key -sha256 -days 3650 -out server_rootCA.pem
  • the days parameter should be 365 (not 3650) days maximum, otherwise chrome won’t accept it
openssl x509 -req -in server.csr -CA server_rootCA.pem -CAkey server_rootCA.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile v3.ext
  • it has to be “-x509” here (minus-sign is missind) and “req” without minus
  • days should again be 365 maximum

Make sure to edit your Bitwarden configuration file to point to the new certificates and keep in mind that the paths mentioned in this file are mapped into the docker-containers.