Generated SSL certificate doesn't work in Personal > Certificates, only if it's also in Trusted Root Certificate Authorities > Certificates

I'm trying to install an SSL certificate automatically with certutil, and I've done this successfully with the following command:

certutil -addstore -user -f "My" "$CERT_FILE_CERT"

Looking at the certificates in certmgr, the installed certificate appears under Personal > Certificates as expected. This doesn't seem to be sufficient for my browsers (Chrome, Edge) to validate the certificate when it is used to serve a page from one of the hostnames mentioned in the SAN list.

In order to successfully validate the certificate and accept that it's legitimate, I also have to install the certificate to Trusted Root Certification Authorities. Is there a way I can change the configuration file I use with OpenSSL so that only the Personal > Certificates entry is required? Or do I always need to install the certificate in two places?

For context, I'm aiming to streamline the process of setting up the local development environment in my company as much as possible. One thing we require is that the local services be served over HTTPS (one service is an identity service, and "Sign in with Google" doesn't work if your redirect URL isn't secure).

I've used OpenSSL with the following configuration to generate a certificate:

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = JP
ST = Shizuoka
L = Hamamatsu
O = COMPANY
OU = Development
CN = localhost

[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
IP.1 = 127.0.0.1
DNS.1 = localhost
DNS.2 = host.docker.internal

And the following commands:

openssl ecparam -genkey -name prime256v1 | openssl ec -aes256 -out $CERT_FILE_KEY -passout "pass:$CERT_PWD"

openssl req -new -x509 -nodes -days 3650 -key $CERT_FILE_KEY -out $CERT_FILE_CERT -passin "pass:$CERT_PWD" -passout "pass:$CERT_PWD" -config cert-input.conf

openssl pkcs12 -export -out $CERT_FILE_PFX -inkey $CERT_FILE_KEY -in $CERT_FILE_CERT -passin "pass:$CERT_PWD" -passout "pass:$CERT_PWD" -name "Local Dev"

This has resulted in the following certificate:

Solution 1:

That's working as it should. The Trusted Root Certificate Authorities store is where you place certificates (root ones) which you trust. If they're not in there your relying-party doesn't know that you've chosen to trust them.

The Personal store is where you place subscriber (also known as end-entity) certificates. These are certificates which services use to present to relying-parties. You only need the certificate here if you have a Windows application which is a server/service - e.g. IIS.

As your SAN is for localhost then you will need to ensure that whatever service is running on that machine has access to the certificate and private key. If it's not a Windows native application, or an application which can access the Windows certificate store, then you will need to configure the certificate and private key on that service as per its documentation; not place it in the Personal store. As this works when you add the certificate to the Trusted Root Certificate Authorities store, this suggests you may have done that already.

You would probably be better to create a CA key and certificate (basicConstraints = CA) and have that in the Trusted Root Certificate Authorities store. Then use that to sign a end-entity certificate for use by your application.

Generated SSL certificate doesn't work in Personal > Certificates, only if it's also in Trusted Root Certificate Authorities > Certificates

Solution 1:

Related

Recent Posts