Self signed ssl I created for localhost cannot be trusted even though I have already imported it to chrome

ssl-certificate https openssl certificate-authority self-signed-certificate

9,268

The Subject Alternative Name is, as it says, where alternative names for the subject are listed. It is an improvement on the Subject field because it allows multiple subject names whereas Subject only allows one. Modern browsers only look at the Subject Alternative Name extension and ignore the Subject field.

To make a self-signed certificate that should work on modern browsers, create an OpenSSL config file similar to the following and save it as openssl.cnf:

######################################################
# OpenSSL config to generate a self-signed certificate
#
# Create certificate with:
# openssl req -x509 -new -nodes -days 720 -keyout selfsigned.key -out selfsigned.pem -config openssl.cnf
#
# Remove the -nodes option if you want to secure your private key with a passphrase
#
######################################################

################ Req Section ################
# This is used by the `openssl req` command
# to create a certificate request and by the
# `openssl req -x509` command to create a
# self-signed certificate.

[ req ]

# The size of the keys in bits:
default_bits       = 2048

# The message digest for self-signing the certificate
# sha1 or sha256 for best compatability, although most
# OpenSSL digest algorithm can be used.
# md4,md5,mdc2,rmd160,sha1,sha256
default_md = sha256

# Don't prompt for the DN, use configured values instead
# This saves having to type in your DN each time.

prompt             = no
string_mask        = default
distinguished_name = req_dn

# Extensions added while singing with the `openssl req -x509` command
x509_extensions = x509_ext

[ req_dn ]

countryName            = GB
stateOrProvinceName    = Somewhere
organizationName       = Example
commonName             = Example Web Service

[ x509_ext ]

subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always

# No basicConstraints extension is equal to CA:False
# basicConstraints      = critical, CA:False

keyUsage = critical, digitalSignature, keyEncipherment

extendedKeyUsage = serverAuth

subjectAltName = @alt_names

[alt_names]
DNS.1 = www.example.com
DNS.2 = www.example.org

Run:

openssl req -x509 -new -nodes -days 720 -keyout selfsigned.key -out selfsigned.crt -config openssl.cnf

Add the selfsigned.crt to the trust-anchor store of your browser.

If you now fix your DNS resolution (local DNS or /etc/hosts file) so that www.example.org or www.example.com points to 127.0.0.1 you can access www.example.com or www.example.org without Chrome complaining.

To test, run:

openssl s_server -cert selfsigned.crt -key selfsigned.key -www -accept 8443

Point your browser to https://www.example.org:8443 - you should get a list of available cipher-suites and some session information. You should not get a certificate warning.

9,268

alexW

Updated on September 18, 2022

Comments

alexW over 1 year

I am creating https server side that I am using to practice OAuth to Instagram which requires https.

I generated a certificate using ssl by running the script from the following link: https://gist.github.com/bjanderson/075fadfccdd12623ab935e57eff58eb4

The script ran just fine and I received all the expected files. I've imported the ca.crt to my chrome under the trusted root certification authorities but chrome still won't trust it. Is the import location appropriate since chrome has many different sections that ca.crt could be imported to.

I get the following errors:

Certificate - Subject Alternative Name missing The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.

Certificate - missing This site is missing a valid, trusted certificate (net::ERR_CERT_AUTHORITY_INVALID).

How do i fix these two issues and get my chrome to trust my self signed certificate?
- garethTheRed almost 5 years
  
  Chrome doesn't accept certificates issued to localhost. Also, as the error message states you need to use certificates which include a Subject Alternative Name extension. The scripts you use don't include this extensions (as can be gleaned from reading the comments below the scripts).
- alexW almost 5 years
  
  Actually I issued mine to 127.0.0.1. Can you explain to me what subject alt name is used for? How do i make it work?
Daniel K almost 5 years

Great answer. How does ‘@alt_names’ get populated?
garethTheRed almost 5 years

@DanielK By the [alt_names] section.
alexW almost 5 years

so in the /etc/hosts file I add 127.0.0.1 www.example.com and on another line ::1 www.example.com ? Is this correct ?
garethTheRed almost 5 years

That is correct.
Nathan B over 2 years

openssl:Error: 's_serv' is an invalid command.
garethTheRed over 2 years

@NathanB - thanks, fixed the typo now. It should read s_server.