Chrome NET::ERR_CERT_AUTHORITY_INVALID error on self signing certificate at LocalHost
Solution 1
We can simply allow invalid certificates for developing purposes in chrome.
This is only valid for Localhost
Paste this in your chrome address bar:
chrome://flags/#allow-insecure-localhost
Then enable the highlighted text: Allow invalid certificates for resources loaded from localhost
Solution 2
Here are my instructions using the KeyStore Explorer tool.
The 2 things I was previously missing when I created the cert were:
- AKID (Authority Key Identifier) - select the same "CN=" you used when creating it.
- Adding in the "Basic Constraints" option (do not select "is a CA")
Without those 2 things Chrome will issue warnings / errors even when you have installed the self-signed certificate into your MS-CAPI PKI Trust store (as a "Trusted Root Authority).
Here are the steps I used.
- Instructions using KSE (KeyStore Explorer)
- Create a JKS
- Creating a self-signed certificate
- Open KeyStore Explorer
- File | New | JKS | OK
- Create a Password for your JKS file
- File | Save as... | enter your password
- Enter file name | OK
- Tools | Generate Key Pair
- Select Algorithm and Key Size (i.e. 2048) | OK
- Select validity period (i.e. 5 years)
- Select Name (Book icon) | Enter in Name fields | OK
- I.e. “CN=localhost…”
- Add Extensions (Very Important), this determines what type of certificate it will be and how it can be used. This example will be for a standard server certificate with SSL.
- Add in the Key Usage item
- Add in the Digital Signature and Key Encipherment options checkbox
- Add in the EKU (Extended Key Usage) options
- Select both of these options:
- TLS Web Client Authentication
- TLS Web Server Authentication
- Add in the SANs (Subject Alternative Name)
- Add in all the needed DNS names and IP Addresses (if applicable) for which this server will be used. (repeat for all desired values) (e.g. 127.0.0.1 and localhost (or )
- It will look something like this when it's done
- When it's done you will see all the fields with the OIDs (Object Identifiers) listed | OK | OK
- Add in the AKID (Authority Key Identifier)
- Add Extensions "+"
- Add Extension Type | Authority Key Identifier
- Select the Authority Cert Issuer of the CN that you created above (.e.g "CN=localhost...") | OK
- Add in a "Basic Constraints" (do NOT check "Subject is a CA")
- When you're done you'll see these listed: hit "OK"
- Note: the Basic Constraints and AKID (Authority Key Identifer) are needed for the Chrome Browser to validate the self-signed certificate as a trusted certificate.
- Otherwise you'll see warning or error messages even after you have add this certificate, explicitly, to your MS-CAPI Trusted Root certificates.
- Enter in the Alias of the keypair name you want to use
- Enter in the private keypair password
- *Note: this password MUST be the same as the JKS file keystore password or Java may fail silently when trying to use this certificate.
- You should see a message indicating success. | OK
- Then, save the File | Save
Solution 3
I fixed my exactly same issue following this .
Issue seemed to be in the way the certificate was created.
The code below is from the above site.
#!/usr/bin/env bash
mkdir ~/ssl/
openssl genrsa -des3 -out ~/ssl/rootCA.key 2048
openssl req -x509 -new -nodes -key ~/ssl/rootCA.key -sha256 -days 1024 -out ~/ssl/rootCA.pem
#!/usr/bin/env bash
sudo openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <( cat server.csr.cnf )
sudo openssl x509 -req -in server.csr -CA ~/ssl/rootCA.pem -CAkey ~/ssl/rootCA.key -CAcreateserial -out server.crt -days 500 -sha256 -extfile v3.ext
server.csr.cnf file
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C=US
ST=New York
L=Rochester
O=End Point
OU=Testing Domain
emailAddress=your-administrative-address@your-awesome-existing-domain.com
CN = localhost
v3.ext file
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
Solution 4
There is a great GUI java-based utility that I use for creating and manipulating all things PKI called KeyStore Explorer. So much easier than all of the command-line options:
Solution 5
-
Open your chrome browser
-
Put the below link in the browser address bar and press Enter.
chrome://flags/#allow-insecure-localhost
-
Select "Allow invalid certificates for resources loaded from localhost." Disabled to Enabled.
Hope your problem will fix. Thanks
E.S.
Updated on July 09, 2022Comments
-
E.S. almost 2 years
I am trying to setup a development environment on my local PC. As the production website supports HTTPS (who does not these days?), I want to have this also on the localhost. I thought it would be easy, but no.
I have a XAMP installation, and setup all so I can access the website. However, whenever I go to any page on the site locally, I get the chrome warning:
NET::ERR_CERT_AUTHORITY_INVALID
I did follow the following thread to try and solve it:
Getting Chrome to accept self-signed localhost certificate
I also created the certificate with the correct Subject Alternative Name (SAN) section, based on this:
https://deliciousbrains.com/https-locally-without-browser-privacy-errors/
After that, I generated the CER or P7B file and imported that into Chrome. I restarted both Apache and Chrome.
I put the certificate in the Trusted Root Certificate Authorities. Somehow, Chrome decided however to place it in the Intermediate Root Certificate Authorities...
I am using Chrome 61, I had the same in 60.
So somehow I am unable to install a self signed certificate, and keep getting this warning which basically makes development on localhost impossible...
I understand that this self-signing is not exactly trustworthy, but there must be a way to develop offline? It does not make sense that we have to build websites online from now on?...
Any ideas?
-
Joe Platano over 6 yearscan you add some more details? What did you import to chrome? i did the same steps but still facing the error
-
atom88 over 6 yearsThe 2 things I was previously missing when I created the cert were: AKID (Authority Key Identifier) - select the same "CN=" you used when creating it. Adding in the "Basic Constraints" option (do not select "is a CA") Without those 2 things Chrome will issue warnings / errors even when you have installed the self-signed certificate into your MS-CAPI PKI Trust store (as a "Trusted Root Authority).
-
Asif Mohammad Mollah almost 6 yearsIt showing on last command
CA certificate and CA private key do not match
-
K-Dawg almost 6 yearsThis may sound stupid but what file extension should the file be and what do I do with it after these instructions?
-
atom88 almost 6 yearssee step # 5 above (JKS file extension). Then, right click in KeyStore Explorer and select "export" the "public key". You can then save this as either a .p7 or .cer / .crt extension. Once you have that file you can then import your .cer file into your chrome and/or FireFox browser which should resolve the issue, I believe.
-
Shawn over 5 yearsIf you are planning on using the certificate on a webserver you must export the private key as well. Right click -> Export -> Export Private Key, Choose OpenSSL, uncheck Encrypt, choose file location, Export.
-
Dominik Mohr over 5 yearsThis just worked. After the creation I downloaded the certificate and added it for chrome. Now no more warnings appear.
-
RAGINROSE almost 5 yearsit is working perfectly in chrome. but how to make it work with fierfox?
-
RAGINROSE almost 5 yearsfinally find a way to use it in firefox. need go to about:config and change the configuration security.enterprise_roots.enabled to true.
-
Rafa over 3 yearsI guess this only works if the URL says
https://localhost
, because it does not work with a domain that points tolocalhost
/127.0.0.1
on the/etc/hosts
file -
user1034912 over 3 yearsThis is very insecure... it will allow all spoof websites
-
Sujay66 about 3 yearsHonestly, if you're testing something for a one-off scenario, this is the best solution. Thanks!
-
Jos Faber over 2 yearsNo it will not solve problems for domains with DNS to
127.0.0.1