Chrome shows site as "Not Secure" (Cert Invalid), but certificate is correct
22,827
Contrary to curl or s_client neither Chrome nor Firefox use the systems CA store on Ubuntu. They have their own trust store and you need to import the CA certificate into their specific store in order to be treated as trusted. To access the trust store of Chrome use chrome://settings/certificates
.
Related videos on Youtube
Author by
blueFast
Updated on September 18, 2022Comments
-
blueFast over 1 year
I have a self-generated CA, and a generated certificate. The certificate is valid:
» openssl verify -verbose -x509_strict -CAfile rootCA.pem mysite.bundle.crt mysite.bundle.crt: OK
The root CA is installed in my system (Ubuntu 16.04), and curl is able to validate the cert:
curl https://mysite
No complains here.
I can verify the cert chain in the running site, and everything seems ok, including the SAN entries:
» openssl s_client -showcerts -servername mysite -connect mysite:443 </dev/null 2> /dev/null | openssl x509 -noout -text | grep DNS: DNS:mysite
But Chrome still complains. What could be the reason?
EDIT
Adding screenshot
-
user1686 about 6 yearsChrome usually shows a specific error code. Can you provide it?
-
blueFast about 6 years@grawity there is no error code per se, but some details. I have added a screenshot. I can add more if needed.
-
-
blueFast about 6 yearsThanks. Are you sure? This comment to another question of mine says the opposite
-
Steffen Ullrich about 6 years@dangonfast: Yes I'm sure. Just have a look at the store yourself by using
chrome://settings/certificates
and see if you find the certificates you've added to the global store there. Chrome does use the system CA store on Windows and Mac but not on Linux. Firefox uses its own store on all platforms. -
blueFast about 6 yearsIndeed, that link should be in your answer too! :) And those are the only ones used by Chrome, not on top of the system ones?
-
Steffen Ullrich about 6 years@dangonfast: From my experience these are the only ones.
-
blueFast about 6 yearsAfter adding the self-generated CA root certificate to the Chrome store, it shows as valid. Thanks!
-
Ramhound about 6 years@dangonfast You never specified what OS. A tag doesn’t count.