Self signed ssl I created for localhost cannot be trusted even though I have already imported it to chrome
I am creating https server side that I am using to practice OAuth to Instagram which requires https.
I generated a certificate using ssl by running the script from the following link: https://gist.github.com/bjanderson/075fadfccdd12623ab935e57eff58eb4
The script ran just fine and I received all the expected files. I've imported the ca.crt to my chrome under the trusted root certification authorities but chrome still won't trust it. Is the import location appropriate since chrome has many different sections that ca.crt could be imported to.
I get the following errors:
Certificate - Subject Alternative Name missing The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.
Certificate - missing This site is missing a valid, trusted certificate (net::ERR_CERT_AUTHORITY_INVALID).
How do i fix these two issues and get my chrome to trust my self signed certificate?
The Subject Alternative Name is, as it says, where alternative names for the subject are listed. It is an improvement on the Subject field because it allows multiple subject names whereas Subject only allows one. Modern browsers only look at the Subject Alternative Name extension and ignore the Subject field.
To make a self-signed certificate that should work on modern browsers, create an OpenSSL config file similar to the following and save it as openssl.cnf
:
######################################################
# OpenSSL config to generate a self-signed certificate
#
# Create certificate with:
# openssl req -x509 -new -nodes -days 720 -keyout selfsigned.key -out selfsigned.pem -config openssl.cnf
#
# Remove the -nodes option if you want to secure your private key with a passphrase
#
######################################################
################ Req Section ################
# This is used by the `openssl req` command
# to create a certificate request and by the
# `openssl req -x509` command to create a
# self-signed certificate.
[ req ]
# The size of the keys in bits:
default_bits = 2048
# The message digest for self-signing the certificate
# sha1 or sha256 for best compatability, although most
# OpenSSL digest algorithm can be used.
# md4,md5,mdc2,rmd160,sha1,sha256
default_md = sha256
# Don't prompt for the DN, use configured values instead
# This saves having to type in your DN each time.
prompt = no
string_mask = default
distinguished_name = req_dn
# Extensions added while singing with the `openssl req -x509` command
x509_extensions = x509_ext
[ req_dn ]
countryName = GB
stateOrProvinceName = Somewhere
organizationName = Example
commonName = Example Web Service
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
# No basicConstraints extension is equal to CA:False
# basicConstraints = critical, CA:False
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.example.com
DNS.2 = www.example.org
Run:
openssl req -x509 -new -nodes -days 720 -keyout selfsigned.key -out selfsigned.crt -config openssl.cnf
Add the selfsigned.crt
to the trust-anchor store of your browser.
If you now fix your DNS resolution (local DNS or /etc/hosts
file) so that www.example.org
or www.example.com
points to 127.0.0.1
you can access www.example.com
or www.example.org
without Chrome complaining.
To test, run:
openssl s_server -cert selfsigned.crt -key selfsigned.key -www -accept 8443
Point your browser to https://www.example.org:8443
- you should get a list of available cipher-suites and some session information. You should not get a certificate warning.