I have mutual TLS enabled on my nginx reverse proxy. I can view the site only when I have the client cert and custom CA installed in my keychain. This works in Safari and Chrome. However, in Chrome it always says "This cert cannot be trusted" despite having trusted always options selected on both the CA and the client cert. How can I get chrome to trust the cert?
Asked
Active
Viewed 1,200 times
0
-
Dupe https://serverfault.com/questions/845766/generating-a-self-signed-cert-with-openssl-that-works-in-chrome-58 https://serverfault.com/questions/880804/can-not-get-rid-of-neterr-cert-common-name-invalid-error-in-chrome-with-self and others e.g. https://security.stackexchange.com/questions/172440/generate-x509-ERR_CERT_COMMON_NAME_INVALID https://stackoverflow.com/questions/61125319/node-js-self-signed-certificate-is-still-showing-as-not-trusted-in-my-browser . Yes, Chrome since 2017 requires SAN. – dave_thompson_085 Oct 10 '21 at 01:45
1 Answers
0
The subject alt name wasn't defined. When generating the cert, I ran the following:
openssl x509 -req -days 365 -sha256 -in mydomain.com.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out mydomain.com.crt -extfile mydomain.com.ext
where I had:
mydomain.com.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = mydomain.com
Ryan
- 115
- 6