"Private key is missing or invalid when importing a certificate" in Google Chrome

linux google-chrome ssl certificate

40,874

Solution 1

I think what you may be trying to do is add it to the wrong certificate store. If you're attempting to add it under "Your Certificates", you're gonna have a bad time. That tab is for adding identity certificates; what your browser offers to the server to establish the browser's identity.

What I think you want to do do, based on your description, is you want your browser to trust the self-signed cert that will be on your server end. If that's the case, you need to add it in your "Authorities" tab.

Solution 2

What worked for me was

setting up a CA
signing my own certificate using this CA and then
importing the CA key into Chrome (Authorities).

I got the procedure from this answer on SO.

Since my specific issue was for catering for multilevel subdomains, I'll look at it from that angle.

subdomains:

bar.fooz.mydomain.com
foo.fooz.mydomain.com

Become a Certificate Authority

export CA=myca
# you probably want to have this in its own directory
mdkir /etc/ssl/$CA && cd /etc/ssl/$CA

# generate private key
openssl genrsa -des3 -out $CA.key 2048

# generate root certificate
openssl req -x509 -new -nodes -key $CA.key -sha256 -days 825 -out $CA.pem

Create CA-signed certificates

export NAME=fooz.mydomain.com
# if CA files were in a separate directory
cd .. && mkdir /etc/ssl/$NAME && cd /etc/ssl/$NAME

# generate private key
openssl genrsa -out $NAME.key 2048

# Create a certificate-signing request
# Once prompted, set FQDN to the value of $NAME
openssl req -new -key $NAME.key -out $NAME.csr

# Create a config file for the extensions
>$NAME.ext cat <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $NAME # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
# Optionally, add additional domains (I've added a subdomain here)
DNS.2 = foo.$NAME
DNS.3 = bar.$NAME
IP.1 = 192.168.0.13 # (Optional, but probably important), add an IP address (if the connection which you have planned requires it)
EOF

# Create the signed certificate
openssl x509 -req -in $NAME.csr -CA $CA.pem -CAkey $CA.key -CAcreateserial -out $NAME.crt -days 825 -sha256 -extfile $NAME.ext

Download the $CA.pem file and import as an Authority in your browser:

    1. Chrome settings (Settings > Privacy and Security > Security > Manage certificates > Authorities > Import). Check Trust this certificate for identifying websites
    2. Firefox: Preferences > Privacy and Security > Certificates > View Certificates > Authorities > import. Check Trust this CA to identify websites

Restart your browser (Firefox worked without the need for a restart)

Solution 3

Chrome expects a file in PKCS12 format file which is used to store the certificate, any intermediate certificate and the private key into single encryptable file. these files usually have the .p12 and .pfx extensions.

To generate one use the below command

openssl pkcs12 -export -inkey ./sample.key -in ./sample.crt -out ./sample.p12

This command will ask for a password which we need to remember and use it while importing the generated p12 file into chrome.

40,874

Maciej Krawczyk

Updated on September 18, 2022

Comments

Maciej Krawczyk over 1 year
I want to test my web app on https localhost. Unfortunately it seems impossible to remove certificate warning from chrome. First, I generated the certificate like this:
```
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/localhost-selfsigned.key -out /etc/ssl/certs/localhost-selfsigned.crt
```
Then I wanted to add it to Chrome, settings > advanced > manage certificates -> import. I try to import the .crt file generated before and all I get is this:

Certificate import error: The Private Key for this Client Certificate is missing or invalid.

I googled it, but I found nothing helpful.

I have also tried to enable allow-insecure-localhost flag and open chrome with --ignore-certificate-errors but it still shows the warning and broken https

Are there any other ways or am I doing something wrong with the certificate?
- Zoredache almost 7 years
  
  Did you also import the /etc/ssl/private/localhost-selfsigned.key file? That is the private key.
- Arjan almost 7 years
  
  The browser needs the public key, not the private key.
- Spiff almost 7 years
  
  Usually you'd create a self-signed server certificate and install it in the HTTP server software you're serving your web app from. Client-side (user) certificates installed in web browsers can be used to authenticate users when the log onto web apps, but it's pretty rare. Most sites/apps use username/password authentication, not user/client certificates.
- cghislai almost 7 years
  
  Can you use this certificate to serve content through https and look how it looks like when exported from the browser? should be the same content.
- cghislai almost 7 years
  
  Also, maybe you are importing from the wrong tab. try to switch to the server tab before clicking the import button
Alexandre Bourlier over 6 years

Did not work for me
lasec0203 about 6 years

this works as of Chrome v64. You import the .crt under the "Authorities" tab as @Erik pointed out. Note: FireFox doesn't give you this hassle
x-yuri about 6 years

Authorities tab is for CA certificates. Non-CA certificates are supposed to be on Servers tab. Although you can't, for instance, manually add non-CA certificate there in Chromium 65.0.3325.162.
K-Gun almost 5 years

Importing via "Authorities" tab solved my prob.
Zap over 4 years

FireFox gave me the same hustle and nothing works but okay.
Snowcrash about 4 years

Importing it in Authorities gave "Private key missing", in Authorities worked but did not solve the problem, in Servers the cert didn't appear.
Erik about 4 years

That doesn't make sense. It's highly unlikely that anyone would ever have the private key of an Certificate Authority certificate. I can't imagine why you would be told that if you were entering it in the correct location.
v3nt almost 4 years

where is the 'authorities' tab in chrome? can't see any way to import certificates or .pem. Thanks,
Erik almost 4 years

Find the Authorities tab in the "Manage Certificates" pane. Settings -> Privacy and security -> Expand the "More" -> Manage certificates
qwertz over 3 years

Still valid answer as of Chromium v85 in October 2020
Hastur over 3 years

Welcome (out) to SuperUser. There is no need to copy and paste, but perhaps to better explain yes. For the same reason that it doesn't deserve to be closed as a duplicate (it's on another site), it also deserves a full response (with commands). Your answer is basically the copy and paste of the link prologue you posted...just a little more effort to get a more nice/useful answer. HNY.
giantas over 3 years

noted... updating in a few
Fakhamatia almost 3 years

I get error Unknown algorithm pkcs12 for this command sudo openssl req -x509 -nodes -days 18250 -newkey pkcs12 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
Ivan Vilanculo almost 3 years

This should be marked as the correct answer. It worked for me. Thanks
Nathan B over 2 years

Great answer! Worked like a charm.
fbicknel over 2 years

Excellent answer. Remember to restart the browser (I had to do so with Brave 1.32). I feel pretty sheepish that I was banging my head against the wall until I found your answer.