Self signed ssl I created for localhost cannot be trusted even though I have already imported it to chrome

certificatecertificate-authorityopenssl

I generated a certificate using ssl by running the script from the following link: https://gist.github.com/bjanderson/075fadfccdd12623ab935e57eff58eb4

The script ran just fine and I received all the expected files. I've imported the ca.crt to my chrome under the trusted root certification authorities but chrome still won't trust it.

I get the following errors:

Certificate - Subject Alternative Name missing
The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.

Certificate - missing
This site is missing a valid, trusted certificate (net::ERR_CERT_AUTHORITY_INVALID).

How do i fix these two issues and get my chrome to trust my self signed certificate?

Best Answer

Certificate - Subject Alternative Name missing
The certificate for this site does not contain a Subject Alternative Name
                                             extension containing a domain name or IP address.

This mean:

The CN don't match ServerName
And the X509v3 Subject Alternative Name field don't too.

Certificate - missing
This site is missing a valid, trusted certificate (net::ERR_CERT_AUTHORITY_INVALID).

This mean:

Server could not be trusted, because no valid certificate was provided... Ok, this would be solved when first error will be solved!

Think about the way (IP address or DNS name) you connect your server:

https://228.929.123.46/

https://mydomain.example.com/
https://127.0.0.1/
https://$HOSTNAME/

You could create cert with

CN=228.929.123.46 and add DNS.1=mydomain.example.com DNS.2=$HOSTNAME IP.1=127.0.0.1 DNS.3=other.domain.org DNS....
CN=127.0.0.1 and add DNS.1=mydomain.example.com DNS.2=$HOSTNAME IP.1=228.929.123.46 DNS.3=other.domain.org DNS....

But if on Internet, you'd better to whipe unfull hostname, localnet (192.168.x.x) and localip (127.x.x.x)!

CN=228.929.123.46 and add DNS.1=mydomain.example.com DNS.2=other.domain.org DNS....

And use only DNS address or public ip to reach your server!

Have a look there,

Subject Alternative Name at wikipedia.org

Then to see how to do this...

Provide subjectAltName to OpenSSL directly on the command line at security.stackexchange.com
Adding Subject Alternative Name (SAN) to a digital certificate at documentation.progress.com
Generate ssl certificates with Subject Alt Names on OSX at github.com/croxton

Related Solutions

Thunderbird not trusting certificate signed with self-signed authority

In Mozilla Thunderbird, go to Tools → Options → Advanced → tab Certificates.
Click on View Certificates and go to tab Servers.
Click on Add Exception.
Enter the name of your mail server and click on Get Certificate.
Do not forget to use the port number of the mail server.
Example: mail.provider.com:993
Save the exception.

Source: http://kb.kerio.com/product/kerio-connect/server-configuration/ssl-certificates/self-signed-certificates-in-mozilla-thunderbird-950.html

OpenSSL – Generating a Self-Signed Cert That Works in Chrome 58

My solution:

openssl req \
    -newkey rsa:2048 \
    -x509 \
    -nodes \
    -keyout server.key \
    -new \
    -out server.crt \
    -subj /CN=dev.mycompany.com \
    -reqexts SAN \
    -extensions SAN \
    -config <(cat /System/Library/OpenSSL/openssl.cnf \
        <(printf '[SAN]\nsubjectAltName=DNS:dev.mycompany.com')) \
    -sha256 \
    -days 3650

Status: Works for me

Best Answer

Related Solutions

Thunderbird not trusting certificate signed with self-signed authority

OpenSSL – Generating a Self-Signed Cert That Works in Chrome 58

Related Topic