# Trust TLS CA certificate in private network

Comonway services use openssl to generate certs for Traefik HTTP/TCP reverse proxy on private network.

System(s) can be configured to trust all certificates from a certificate authority by installing that system's SSL certificate as a trusted root certificate authority. That way, Chrome and Firefox will never prompt again about accessing any site with a certificate from that CA.

# Obtain your CA certificate

First, get a copy of that SSL certificate from your CA in DER format. If CA runs Windows, follow the steps below. (If not, research the details for particular operating system.)
Go to Control Panel and open the Administrative Tools folder
Double-click Certification Authority
Click View Certificate
Click Copy To File, then click Next
Leave DER Encoded Binary X.509 (.CER) checked and click Next
Specify the filename (c:\CA_certificate.cer, for instance) and click Next, then click Finish.

The certificate will be saved to the specified location.

# Adding the CA certificates as a trusted root authority to Chrome

If Active Directory is used, use Group Policy so all systems in the organization will trust certificates from the CA. Chrome will trust the certificate if deployed in this manner.

# Utilizing Group Policy to configure Windows systems to trust your CA

Copy the certificate to the domain controller
Go to the Control Panel and open Administrative Tools
Open Group Policy Management
Right-click the domain and choose Create A GPO In This Domain And Link It Here
Provide a name for the Group Policy Object, such as CA Certificate, and click OK
Right-click the new GPO and click Edit
Expand Policies
Expand Windows Settings
Expand Security Settings
Expand Public Key Policies
Right-click Trusted Root Certification Authorities and choose Import
Click Next
Click Browse, then browse to and select the CA certificate you copied to this computer
Click Next, click Finish, then click OK

The certificate is shown in the right-hand field.

If there are not running Active Directory in the organization, it's not possible to leverage Group Policy, but manually add the CA certificate is possible on a host to trust the related SSL certificates.

Note that Chrome accept the certificate, but it's advisable to add it in Windows itself, since that will cover other apps that might connect to the website.

# Manually configuring a Windows system to trust your CA

Copy the CA certificate on each client machine
Open a Command Prompt and run Certificate Manager with the following command: certmgr.msc
In the left-hand frame, expand Trusted Root Certificates, then right-click on Certificates and select All Tasks >Import
In the Certificate Import Wizard, click Next
Click Next, then click Browse, then browse to and select the CA certificate you copied to this computer
For Place All Certificates In The Following Store, select Trusted Root Certification Authorities
Click Next, then click Finish
Click Yes to any final prompt

# Adding the CA certificates as a Trusted Root Authority to Firefox

Unfortunately, Firefox does not trust the CA certificates that Windows does by default, so the instructions in the section above will work only after this setting change in Firefox:

In Firefox, type about:config in the address bar
If prompted, accept any warnings
Scroll down to the security.enterprise_roots.enabled entry, which should be set to False
Double-click the value to change it to True
Firefox should enact the setting immediately

If Active Directory/Group Policy isn't used, Firefox can be configured to trust your CA.

# Manually configuring Firefox to trust CA

Copy the Root CA certificate on each client machine
In Firefox, click on Options.
Go to security section
Click on View Certificates, the select Authorities
Click Import, then browse to CA file and select it
Check off all Trust This CA options as shown above, then click OK.

Firefox should now trust the certificates authorities and stop providing security warnings.