I want to set up a CA for my local network. The root certificate should be installed on various devices (iPhone, Windows PC, MacBook). With a server certificate I want to secure the traffic between browser and webserver (nginx 1.17 on debian 10.1 as reverse proxy).
I created the root certificate with the following commands:
# key
openssl genrsa -des3 -out rootCA.key 4096
# root-certificate
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
Then I created a CSR for a specific server:
# key
openssl genrsa -out myserver.local.key 2048
# csr
openssl req -new -key myserver.local.key -out myserver.local.csr
Finally I created the server certificate with the root key:
openssl x509 -req -in myserver.local.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out myserver.local.crt -days 500 -sha256
In the configuration for the nginx webserver I have added the following entries:
lists 443 ssl;
server_name myserver.local;
ssl_certificate /etc/nginx/certificates/myserver.local/myserver.local.crt;
ssl_certificate_key /etc/nginx/certificates/myserver.local/myserver.local.key;
ssl_dhparam /etc/nginx/dhparams.pem;
I installed the root certificate on an iOS (version 13) device and then accepted the certificate in the settings (Settings – General – Profile).
After restarting the server I still get a hint that the certificate is not trusted. Unfortunately, iOS doesn't give me detailed information, so I can't find a clue where to start troubleshooting. On MacOS with Chrome and Safari, I also get an error message. Here, too, I imported the root certificate into the keychain.
Does anyone have a hint about what's wrong here?
Best Answer
Did you create an Extended Validation (EV) certificate? They are the one's that contain records other then
CN
(for example: country, city).I had faced a similar certificate rejected error.
Source, and information on how to solve it: https://gist.github.com/Soarez/9688998#openssl-ca