How to Stop HTTPS Warnings Forever Using a Private CA and Wildcard Certificate

author
By PS

11 November 2025

Security

Resolve the "HTTPS certificate invalid" warning across all internal websites on Windows PCs and Servers, Linux Desktop and Servers (Redhat CentOS, Suse, Ubuntu, Debian, etc.), NAS Servers, and more on your custom local domain by creating a trusted internal CA and deploying a wildcard SSL certificate.

Objective

To resolve the "HTTPS certificate invalid" warning across all internal websites by creating a trusted internal CA and deploying a wildcard SSL certificate for the mydomain.org domain.

Network Environment:

  • Domain: mydomain.org
  • CA Server: One of your Linux servers (Debian/Ubuntu)
  • Web Servers: Apache on Debian/Ubuntu, IIS on Windows Server
  • Client PCs: Windows 8 and higher
  • Browsers: Google Chrome, Microsoft Edge, Mozilla Firefox

Part 1: Create the Internal CA and Wildcard Certificate

These steps should be performed on one of your Linux servers. It is critical that you keep this server secure and back up the generated key files safely.

Step 1.1: Create the Root Certificate Authority (CA)

This CA will be the root of trust for your entire organization.

  1. Log in to Ubuntu/Debian server via SSH and create a directory to store your CA files:

    bash
    sudo mkdir /etc/ssl/mydomain-ca
cd /etc/ssl/mydomain-ca

  2. Generate the Root CA's Private Key. This command creates a highly secure, password-protected private key. You will be prompted to create a new password. Choose a very strong password, write it down, and store it in a secure location (like a company password manager). You will need this password to sign new certificates.

    bash
    sudo openssl genrsa -aes256 -out mydomain-org-ca.key 4096

  3. Generate the Root CA's Public Certificate. This command creates the public certificate (.crt) file that you will distribute to all client computers. It will be valid for 10 years (3650 days). You will be prompted for information; the most important is the "Common Name".

    bash
    sudo openssl req -x509 -new -nodes -key mydomain-org-ca.key -sha256 -days 3650 -out mydomain-org-ca.crt
    • When prompted, enter the password for the mydomain-org-ca.key file.
    • Fill in the details for your organization (Country, State, etc.).
    • For Common Name (e.g. server FQDN or YOUR name): Enter a descriptive name like Mydomain Org Internal Root CA.

    You now have mydomain-org-ca.key (the secure private key) and mydomain-org-ca.crt (the public certificate).

Step 1.2: Create the Wildcard Certificate for *.mydomain.org

Now we will create the single wildcard certificate that will be used on all your web servers.

  1. Generate the Wildcard Certificate's Private Key. This key does not need a password, as web servers need to be able to read it automatically on restart.

    bash
    sudo openssl genrsa -out mydomain-org-wildcard.key 2048

  2. Create a Certificate Signing Request (CSR). For the Common Name, enter your root domain.

    bash
    sudo openssl req -new -key mydomain-org-wildcard.key -out mydomain-org-wildcard.csr
    • Fill in the details for your organization.
    • For Common Name: Enter mydomain.org.

  3. Create a Configuration File for Subject Alternative Names (SAN). This is a critical step. Modern browsers require the certificate to explicitly list all domains it covers. Create a file named wildcard_v3.ext.

    bash
    sudo nano wildcard_v3.ext

    Paste the following content into the file, then save and exit (Ctrl+X, Y, Enter):

    text
    authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = mydomain.org
DNS.2 = *.mydomain.org

  4. Sign the Wildcard Certificate with Your Root CA. This final command uses your Root CA key to approve the CSR and create the final wildcard certificate, valid for 10 years (3650 days).

    bash
    sudo openssl x509 -req -in mydomain-org-wildcard.csr \
-CA mydomain-org-ca.crt -CAkey mydomain-org-ca.key -CAcreateserial \
-out mydomain-org-wildcard.crt -days 3650 \
-sha256 -extfile wildcard_v3.ext

    You will be prompted to enter the password for your Root CA key (mydomain-org-ca.key).

    You now have the two files you will deploy to your web servers: mydomain-org-wildcard.key and mydomain-org-wildcard.crt.

  5. Generate .pfx for IIS Servers (Windows Server 2008 R2, 2012 R2 and above). IIS requires a single .pfx file that contains both the certificate and the private key.

    bash
    sudo openssl pkcs12 -export -out mydomain-org-wildcard.pfx -inkey mydomain-org-wildcard.key -in mydomain-org-wildcard.crt

    You will be prompted to create and verify an "Export Password". Choose a strong password.

Part 2: Deploy the Wildcard Certificate to Web Servers

Deployment for Apache Servers (Debian & Ubuntu)

  1. Securely copy the certificate and key from your CA server to the Apache server:

    • mydomain-org-wildcard.crt
    • mydomain-org-wildcard.key

  2. Place the files in the appropriate directories on the Apache server:

    bash
    sudo cp mydomain-org-wildcard.crt /etc/ssl/certs/
sudo cp mydomain-org-wildcard.key /etc/ssl/private/

  3. Edit the Apache SSL Virtual Host configuration. Open the site's SSL configuration file (e.g., /etc/apache2/sites-available/default-ssl.conf). Modify it to point to the new wildcard files:

    apache
    <VirtualHost *:80>
        ServerName mydomain.org
        Redirect permanent / https://mydomain.org/
</VirtualHost>

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
        ServerName mydomain.org
        # Or ServerName sub1.mydomain.org on the other server

        DocumentRoot /var/www/html
        # ... other configurations ...

        SSLEngine on
        SSLCertificateFile      /etc/ssl/certs/mydomain-org-wildcard.crt
        SSLCertificateKeyFile   /etc/ssl/private/mydomain-org-wildcard.key
    </VirtualHost>
</IfModule>

  4. Enable the SSL module and site, then restart Apache:

    bash
    sudo a2enmod ssl
sudo a2ensite default-ssl.conf
sudo systemctl restart apache2

Installing Root CA on Linux Servers

Important: When your servers need to communicate with each other over HTTPS, they also need to trust your internal CA.

You will need the public Root CA certificate file, mydomain-org-ca.crt, which is located in /etc/ssl/mydomain-ca/ on your Debian CA server. For each server below, you will first need to copy this file to it.

A secure way to do this from another Linux/BSD machine is using scp:

bash
# Run this from the server you want to configure
# Replace 'your_user' and 'your_ca_server_ip'
scp your_user@your_ca_server_ip:/etc/ssl/mydomain-ca/mydomain-org-ca.crt .

For Debian and Ubuntu Servers

This process is identical for both Debian and Ubuntu.

  1. Copy the CA Certificate to the Server: Get the mydomain-org-ca.crt file onto the server (e.g., into your home directory).

  2. Move the Certificate to the System's Trust Directory. The correct location for extra CAs is /usr/local/share/ca-certificates/. You must place the certificate file in this directory with a .crt extension.

    bash
    sudo mv mydomain-org-ca.crt /usr/local/share/ca-certificates/

  3. Update the System's CA Trust Store. This command scans the directory and rebuilds the list of trusted certificates for the entire system.

    bash
    sudo update-ca-certificates

    You should see output indicating that 1 certificate was added.

  4. Verification: You can now test that the server trusts your internal sites using a tool like curl. The -v flag provides verbose output.

    bash
    curl -v https://mydomain.org

    In the output, scroll up to the "SSL/TLS handshake" section. You should see the line: * SSL certificate verify ok. This confirms the server now trusts your internal CA.

Part 3: Deployment for IIS Servers (Windows Server)

IIS requires a single .pfx file that contains both the certificate and the private key.

  1. Copy the .pfx file we generated earlier from CA server. Securely copy the mydomain-org-wildcard.pfx file to your Windows Server desktop.

  2. Import the certificate into IIS:

    • Open Internet Information Services (IIS) Manager.
    • Click on the server's name in the left "Connections" pane.
    • In the center pane, double-click on Server Certificates.
    • In the right "Actions" pane, click Import...
    • Browse to the mydomain-org-wildcard.pfx file.
    • Enter the password you created for the .pfx file.
    • Select "Web Hosting" from the certificate store dropdown.
    • Click OK. The wildcard certificate will now appear in the list.

  3. Bind the certificate to your website:

    • In the left "Connections" pane, expand "Sites" and click on your website (e.g., sub2.mydomain.org).
    • In the right "Actions" pane, click Bindings...
    • Select the existing https binding and click Edit... (or click Add... if none exists).
    • From the "SSL certificate" dropdown menu, choose the *.mydomain.org certificate you just imported.
    • Click OK, then Close.

Make Windows Server Trust Your Own CA

Important: Windows Server machine itself does not yet trust your internal CA. To fix this, you must install your Root CA's public certificate (mydomain-org-ca.crt) into the "Trusted Root Certification Authorities" store on the Windows Server machine.

Step-by-step using Microsoft Management Console (MMC):

  1. Step 1: Copy the Root CA Certificate to the Server. Copy the mydomain-org-ca.crt file from your Debian CA server to the desktop of your Windows Server machine. Important: Do NOT use the .pfx file for this step. You need the public .crt file of the authority.
  2. Step 2: On the Windows Server, press Windows Key + R to open the Run dialog. Type mmc and press Enter. An empty console window will open.

  3. Step 3: Add the Certificates Snap-in:

    • In the MMC window, click on File → Add/Remove Snap-in...
    • In the left pane, select Certificates and click the Add > button.
    • A new window will pop up. It is critical that you select Computer account and click Next. This ensures the certificate is trusted by the entire machine and its services (like IIS), not just your user account.
    • Select Local computer and click Finish.
    • Click OK to close the Add/Remove Snap-ins window.

  4. Step 4: Import Your Root CA Certificate:

    • In the main MMC window, expand Certificates (Local Computer) in the left pane.
    • Expand Trusted Root Certification Authorities.
    • Right-click on the Certificates folder underneath it, then select All Tasks → Import...
    • The Certificate Import Wizard will open. Click Next.
    • Click Browse... and navigate to the desktop to select your mydomain-org-ca.crt file. Click Next.
    • The wizard will automatically have the "Certificate Store" set to Trusted Root Certification Authorities. Leave this as is and click Next.
    • Click Finish. You will see a confirmation that "The import was successful."

  5. Step 5: Restart IIS and Re-bind the Certificate. To ensure IIS recognizes the newly trusted CA, a quick restart is best.

    cmd
    iisreset

    Note: If iisreset command does not work, kindly do it manually using Internet Information Services (IIS) Manager.

Part 4: Distribute Trust to Standalone Windows PCs

Objective: To manually install the internal Root CA certificate (mydomain-org-ca.crt) on each standalone Windows computer so that all browsers trust your internal websites.

Prerequisite: The Root CA public certificate file, mydomain-org-ca.crt, must be accessible from the client PC. You can place it on a shared network drive, email it to the user, or deliver it via a USB drive.

Section A: Install the CA for Chrome, Edge, and Windows

This procedure installs the certificate into the Windows Trusted Root Certificate Store. Google Chrome, Microsoft Edge, and the operating system itself will use this store. You will need administrator rights to perform these steps.

  1. Locate the Certificate File: Navigate to the location where you saved the mydomain-org-ca.crt file.
  2. Start the Import Process: Right-click on the mydomain-org-ca.crt file and select Install Certificate.
  3. Choose the Store Location: The Certificate Import Wizard will open. Select Local Machine and click Next. This ensures the certificate is trusted by all users on this computer. You will be prompted by User Account Control (UAC) to allow the action; click Yes.

  4. Specify the Certificate Store:

    • Select the option Place all certificates in the following store.
    • Click the Browse... button.
    • In the list, select Trusted Root Certification Authorities.
    • Click OK.
  5. Complete the Wizard: The correct store is now selected. Click Next, and then click Finish.
  6. Confirm the Import: A dialog box will appear confirming "The import was successful." Click OK.

Result: Chrome and Edge will now visit all *.mydomain.org websites without any security warnings.

Section B: Install the CA for Mozilla Firefox

Firefox maintains its own separate list of trusted CAs. Therefore, you must import the certificate directly into Firefox in addition to the steps above.

  1. Open Firefox Settings:

    • Open Firefox.
    • Click the menu button (☰) in the top-right corner and select Settings.

  2. Navigate to Certificates:

    • In the left menu, click Privacy & Security.
    • Scroll all the way down to the bottom and click the View Certificates... button.
  3. Import the Certificate: The Certificate Manager window will open. Ensure you are on the Authorities tab. Click the Import... button.
  4. Select the Certificate File: Browse to the location of your mydomain-org-ca.crt file, select it, and click Open.

  5. Set Trust Settings:

    • A dialog box will appear asking what you want to trust this CA for.
    • Check the box for Trust this CA to identify websites.
    • Click OK.
  6. Verify the Import: Your CA (e.g., "Mydomain Org Internal Root CA") will now appear in the list of authorities. Click OK to close the Certificate Manager.

Result: Firefox will now also visit all *.mydomain.org websites without any security warnings.

After completing both Section A and Section B on a computer, the user will have a seamless, warning-free experience on all internal websites.

Bonus Guide

1. How to Install Certificate to TrueNAS and FreeNAS Server

Using the Web GUI (Recommended)

  1. Log in to your TrueNAS web interface.
  2. Navigate to the Certificate Authorities section: In the left-hand menu, go to System → CAs.

  3. Import your CA:

    • Click the Import CA button.
    • Give it a descriptive name, like Mydomain Org Internal Root CA.
    • Use cat command in Linux or notepad for Windows. Paste the contents of your mydomain-org-ca.crt file into the "Certificate" box.
    • Click Save.

That's it. The TrueNAS system will now trust your internal CA for its own operations.

2. How to Install Certificate to Red Hat / CentOS / Fedora Servers

If you ever add a Red Hat-based server to your network, the process is slightly different.

  1. Copy the CA Certificate to the Server.

  2. Move the Certificate to the Trust Anchor Directory:

    bash
    sudo mv mydomain-org-ca.crt /etc/pki/ca-trust/source/anchors/

  3. Update the System's CA Trust Store:

    bash
    sudo update-ca-trust extract

  4. Verification: The same curl command will work to verify the setup.

    bash
    curl -v https://mydomain.org

3. How to Add a Trusted Root CA on SUSE Linux Enterprise Server (SLES)

SUSE uses a specific directory to store trusted CA certificates that should be added to the system-wide trust store.

  1. Copy the certificate to the correct location. The standard directory for new trust anchors is /etc/pki/trust/anchors/.

    bash
    sudo cp mydomain-org-ca.crt /etc/pki/trust/anchors/

  2. (Optional but Recommended) Rename the Certificate. While not strictly required, it's good practice to give it a more descriptive name with a .pem extension, which is common in this directory.

    bash
    sudo mv /etc/pki/trust/anchors/mydomain-org-ca.crt /etc/pki/trust/anchors/Mydomain-Org-Internal-CA.pem

  3. Update the System Trust Store. Now, you must run the command that tells the system to recognize the new certificate and add it to the official trust bundle.

    bash
    sudo update-ca-certificates

    Check the output. You should see a confirmation message, similar to the one on Debian/Ubuntu, indicating that a new certificate has been added.

  4. Verification: You can now verify that the entire operating system trusts your internal CA.

    bash
    curl -v https://mydomain.org

    Examine the output. In the verbose TLS handshake details, you should see the confirmation line:

    bash
    * SSL certificate verify ok.

Conclusion

By following these steps, you ensure that not only do your users' browsers trust your internal sites, but your servers also trust each other, creating a fully secure and functional internal ecosystem. This comprehensive guide covers everything from creating your own Certificate Authority to deploying certificates across various platforms, ensuring a seamless and secure HTTPS experience throughout your organization.

Popular Tags :

SSL CertificateHTTPSCertificate AuthoritySecurity
Share this post :