"Private key is missing or invalid when importing a certificate" in Google Chrome
Solution 1
I think what you may be trying to do is add it to the wrong certificate store. If you're attempting to add it under "Your Certificates", you're gonna have a bad time. That tab is for adding identity certificates; what your browser offers to the server to establish the browser's identity.
What I think you want to do do, based on your description, is you want your browser to trust the self-signed cert that will be on your server end. If that's the case, you need to add it in your "Authorities" tab.
Solution 2
What worked for me was
- setting up a CA
- signing my own certificate using this CA and then
- importing the CA key into Chrome (Authorities).
I got the procedure from this answer on SO.
Since my specific issue was for catering for multilevel subdomains, I'll look at it from that angle.
subdomains:
- bar.fooz.mydomain.com
- foo.fooz.mydomain.com
- Become a Certificate Authority
export CA=myca
# you probably want to have this in its own directory
mdkir /etc/ssl/$CA && cd /etc/ssl/$CA
# generate private key
openssl genrsa -des3 -out $CA.key 2048
# generate root certificate
openssl req -x509 -new -nodes -key $CA.key -sha256 -days 825 -out $CA.pem
- Create CA-signed certificates
export NAME=fooz.mydomain.com
# if CA files were in a separate directory
cd .. && mkdir /etc/ssl/$NAME && cd /etc/ssl/$NAME
# generate private key
openssl genrsa -out $NAME.key 2048
# Create a certificate-signing request
# Once prompted, set FQDN to the value of $NAME
openssl req -new -key $NAME.key -out $NAME.csr
# Create a config file for the extensions
>$NAME.ext cat <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $NAME # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
# Optionally, add additional domains (I've added a subdomain here)
DNS.2 = foo.$NAME
DNS.3 = bar.$NAME
IP.1 = 192.168.0.13 # (Optional, but probably important), add an IP address (if the connection which you have planned requires it)
EOF
# Create the signed certificate
openssl x509 -req -in $NAME.csr -CA $CA.pem -CAkey $CA.key -CAcreateserial -out $NAME.crt -days 825 -sha256 -extfile $NAME.ext
- Download the
$CA.pem
file and import as an Authority in your browser:
1. Chrome settings (Settings > Privacy and Security > Security > Manage certificates > Authorities > Import). Check Trust this certificate for identifying websites
2. Firefox: Preferences > Privacy and Security > Certificates > View Certificates > Authorities > import. Check Trust this CA to identify websites
- Restart your browser (Firefox worked without the need for a restart)
Solution 3
Chrome expects a file in PKCS12 format file which is used to store the certificate, any intermediate certificate and the private key into single encryptable file. these files usually have the .p12
and .pfx
extensions.
To generate one use the below command
openssl pkcs12 -export -inkey ./sample.key -in ./sample.crt -out ./sample.p12
This command will ask for a password which we need to remember and use it while importing the generated p12
file into chrome.
Related videos on Youtube
Maciej Krawczyk
Updated on September 18, 2022Comments
-
Maciej Krawczyk over 1 year
I want to test my web app on https localhost. Unfortunately it seems impossible to remove certificate warning from chrome. First, I generated the certificate like this:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/localhost-selfsigned.key -out /etc/ssl/certs/localhost-selfsigned.crt
Then I wanted to add it to Chrome, settings > advanced > manage certificates -> import. I try to import the .crt file generated before and all I get is this:
Certificate import error: The Private Key for this Client Certificate is missing or invalid.
I googled it, but I found nothing helpful.
I have also tried to enable allow-insecure-localhost flag and open chrome with
--ignore-certificate-errors
but it still shows the warning and broken httpsAre there any other ways or am I doing something wrong with the certificate?
-
Zoredache almost 7 yearsDid you also import the
/etc/ssl/private/localhost-selfsigned.key
file? That is the private key. -
Arjan almost 7 yearsThe browser needs the public key, not the private key.
-
Spiff almost 7 yearsUsually you'd create a self-signed server certificate and install it in the HTTP server software you're serving your web app from. Client-side (user) certificates installed in web browsers can be used to authenticate users when the log onto web apps, but it's pretty rare. Most sites/apps use username/password authentication, not user/client certificates.
-
cghislai almost 7 yearsCan you use this certificate to serve content through https and look how it looks like when exported from the browser? should be the same content.
-
cghislai almost 7 yearsAlso, maybe you are importing from the wrong tab. try to switch to the server tab before clicking the import button
-
-
Alexandre Bourlier over 6 yearsDid not work for me
-
lasec0203 about 6 yearsthis works as of Chrome v64. You import the .crt under the "Authorities" tab as @Erik pointed out. Note: FireFox doesn't give you this hassle
-
x-yuri about 6 yearsAuthorities tab is for CA certificates. Non-CA certificates are supposed to be on Servers tab. Although you can't, for instance, manually add non-CA certificate there in Chromium 65.0.3325.162.
-
K-Gun almost 5 yearsImporting via "Authorities" tab solved my prob.
-
Zap over 4 yearsFireFox gave me the same hustle and nothing works but okay.
-
Snowcrash about 4 yearsImporting it in Authorities gave "Private key missing", in Authorities worked but did not solve the problem, in Servers the cert didn't appear.
-
Erik about 4 yearsThat doesn't make sense. It's highly unlikely that anyone would ever have the private key of an Certificate Authority certificate. I can't imagine why you would be told that if you were entering it in the correct location.
-
v3nt almost 4 yearswhere is the 'authorities' tab in chrome? can't see any way to import certificates or .pem. Thanks,
-
Erik almost 4 yearsFind the Authorities tab in the "Manage Certificates" pane. Settings -> Privacy and security -> Expand the "More" -> Manage certificates
-
qwertz over 3 yearsStill valid answer as of Chromium v85 in October 2020
-
Hastur over 3 yearsWelcome (out) to SuperUser. There is no need to copy and paste, but perhaps to better explain yes. For the same reason that it doesn't deserve to be closed as a duplicate (it's on another site), it also deserves a full response (with commands). Your answer is basically the copy and paste of the link prologue you posted...just a little more effort to get a more nice/useful answer. HNY.
-
giantas over 3 yearsnoted... updating in a few
-
Fakhamatia almost 3 yearsI get error
Unknown algorithm pkcs12
for this commandsudo openssl req -x509 -nodes -days 18250 -newkey pkcs12 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
-
Ivan Vilanculo almost 3 yearsThis should be marked as the correct answer. It worked for me. Thanks
-
Nathan B over 2 yearsGreat answer! Worked like a charm.
-
fbicknel over 2 yearsExcellent answer. Remember to restart the browser (I had to do so with Brave 1.32). I feel pretty sheepish that I was banging my head against the wall until I found your answer.