Hey community,
I’d like to use a TP600 as a web panel, in order to display a custom web page, running on a web server on a private network. A PKI is deployed, and I’d like to allow the web page, and thus install the CA certificate on the web server.
There is a way to globally disable the certificate validation in the WBM (browser security = low), but I’d like to be more specific.
I’ve tried to add the CA certificate in the /etc/ssl/certs/ca-certificates.crt file without success.
I’ve tried to play with /etc/config-tools/config_browsersecurity but not successful either.
I still get a warning saying that the certificate could not be trusted.
If you have any idea how to do that… Thanks
Hello community,
Here you’ll find how to install a CA cert in the TP600/WP400 web browser.
In a Linux environment, Chromium uses NSS Shared DB for certificate management.
https://chromium.googlesource.com/chromium/src/+/master/docs/linux/cert_management.md
The certutil tool from the libnss3-tools package must be used to manage certificates. The problem is that this utility is not natively installed in our firmware.
Therefore, I created a Docker application that integrates this tool. Docker activation will be necessary just to install the certificate.
-
Activate Docker (via WBM or using the command below)
/etc/config-tools/config_docker activate
-
Transfer the Root CA certificate (PEM format, .crt extension) to the screen’s file system, via SFTP for example.
Place it in /etc/certificates/RootCA.crt for the example.
-
Install the certificate in the NSS database.
A Docker image that I created and published on Docker Hub (quenorha/nsstools) will be downloaded and executed to use certutil. I will provide the corresponding Dockerfile after this procedure so you can create your own image.
docker run --rm -it -v /etc/certificates/RootCA.crt:/etc/certificates/RootCA.crt -v /root/.pki/nssdb:/root/.pki/nssdb quenorha/nsstools certutil -A -n "RootCA" -t "TC,," -d sql:/root/.pki/nssdb -i /etc/certificates/RootCA.crt
-
Verify the certificate installation
docker run --rm -it -v /root/.pki/nssdb:/root/.pki/nssdb quenorha/nsstools certutil -L -d /root/.pki/nssdb
Expected result:
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
RootCA CT,,
-
Connect with the browser.
Proceed as usual. There should be no warning upon connection, even in “High” Browser Security mode.
-
Deactivate Docker (via WBM or using the command below)
/etc/config-tools/config_docker remove
Dockerfile to create your own Docker image containing NSS tools:
FROM alpine:latest
RUN apk add --no-cache nss-tools bash
Notes for a “realistic” mass deployment:
The Root CA certificate is likely the same for all screens.
The certificate database is contained in /root/.pki.
Once the certificate is installed, a simple copy of this directory can allow deployment to other TP600/WP400.
We can also imagine carrying out the operation on one screen, then making a copy of the image that will serve as the base for the others.
Alternatively, using scripts to automate this process is feasible, especially in the case of subsequent updates (or revocation) of the certificate.
1 Like
