"Private key is missing or invalid when importing a certificate" in Google Chrome
I want to test my web app on https localhost. Unfortunately it seems impossible to remove certificate warning from chrome. First, I generated the certificate like this:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/localhost-selfsigned.key -out /etc/ssl/certs/localhost-selfsigned.crt
Then I wanted to add it to Chrome, settings > advanced > manage certificates -> import. I try to import the .crt file generated before and all I get is this:
Certificate import error: The Private Key for this Client Certificate is missing or invalid.
I googled it, but I found nothing helpful.
I have also tried to enable allow-insecure-localhost flag and open chrome with --ignore-certificate-errors
but it still shows the warning and broken https
Are there any other ways or am I doing something wrong with the certificate?
I think what you may be trying to do is add it to the wrong certificate store. If you're attempting to add it under "Your Certificates", you're gonna have a bad time. That tab is for adding identity certificates; what your browser offers to the server to establish the browser's identity.
What I think you want to do do, based on your description, is you want your browser to trust the self-signed cert that will be on your server end. If that's the case, you need to add it in your "Authorities" tab.
What worked for me was
- setting up a CA
- signing my own certificate using this CA and then
- importing the CA key into Chrome (Authorities).
I got the procedure from this answer on SO.
Since my specific issue was for catering for multilevel subdomains, I'll look at it from that angle.
subdomains:
- bar.fooz.mydomain.com
- foo.fooz.mydomain.com
- Become a Certificate Authority
export CA=myca
# you probably want to have this in its own directory
mdkir /etc/ssl/$CA && cd /etc/ssl/$CA
# generate private key
openssl genrsa -des3 -out $CA.key 2048
# generate root certificate
openssl req -x509 -new -nodes -key $CA.key -sha256 -days 825 -out $CA.pem
- Create CA-signed certificates
export NAME=fooz.mydomain.com
# if CA files were in a separate directory
cd .. && mkdir /etc/ssl/$NAME && cd /etc/ssl/$NAME
# generate private key
openssl genrsa -out $NAME.key 2048
# Create a certificate-signing request
# Once prompted, set FQDN to the value of $NAME
openssl req -new -key $NAME.key -out $NAME.csr
# Create a config file for the extensions
>$NAME.ext cat <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $NAME # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
# Optionally, add additional domains (I've added a subdomain here)
DNS.2 = foo.$NAME
DNS.3 = bar.$NAME
IP.1 = 192.168.0.13 # (Optional, but probably important), add an IP address (if the connection which you have planned requires it)
EOF
# Create the signed certificate
openssl x509 -req -in $NAME.csr -CA $CA.pem -CAkey $CA.key -CAcreateserial -out $NAME.crt -days 825 -sha256 -extfile $NAME.ext
- Download the
$CA.pem
file and import as an Authority in your browser:
1. Chrome settings (Settings > Privacy and Security > Security > Manage certificates > Authorities > Import). Check Trust this certificate for identifying websites
2. Firefox: Preferences > Privacy and Security > Certificates > View Certificates > Authorities > import. Check Trust this CA to identify websites
- Restart your browser (Firefox worked without the need for a restart)
Chrome expects a file in PKCS12 format file which is used to store the certificate, any intermediate certificate and the private key into single encryptable file. these files usually have the .p12
and .pfx
extensions.
To generate one use the below command
openssl pkcs12 -export -inkey ./sample.key -in ./sample.crt -out ./sample.p12
This command will ask for a password which we need to remember and use it while importing the generated p12
file into chrome.