Self signed ssl I created for localhost cannot be trusted even though I have already imported it to chrome

Question

I generated a certificate using ssl by running the script from the following link: https://gist.github.com/bjanderson/075fadfccdd12623ab935e57eff58eb4

The script ran just fine and I received all the expected files. I've imported the ca.crt to my chrome under the trusted root certification authorities but chrome still won't trust it.

I get the following errors:

Certificate - Subject Alternative Name missing
The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.

Certificate - missing
This site is missing a valid, trusted certificate (net::ERR_CERT_AUTHORITY_INVALID).

How do i fix these two issues and get my chrome to trust my self signed certificate?

score 0 · Answer 1 · answered Jun 30 '19 at 10:34

0

Certificate - Subject Alternative Name missing
The certificate for this site does not contain a Subject Alternative Name
                                             extension containing a domain name or IP address.

This mean:

The CN don't match ServerName
And the X509v3 Subject Alternative Name field don't too.

Certificate - missing
This site is missing a valid, trusted certificate (net::ERR_CERT_AUTHORITY_INVALID).

This mean:

Server could not be trusted, because no valid certificate was provided... Ok, this would be solved when first error will be solved!

Think about the way (IP address or DNS name) you connect your server:

https://228.929.123.46/

or

https://mydomain.example.com/
https://127.0.0.1/
https://$HOSTNAME/

You could create cert with

CN=228.929.123.46 and add DNS.1=mydomain.example.com DNS.2=$HOSTNAME IP.1=127.0.0.1 DNS.3=other.domain.org DNS....
CN=127.0.0.1 and add DNS.1=mydomain.example.com DNS.2=$HOSTNAME IP.1=228.929.123.46 DNS.3=other.domain.org DNS....

But if on Internet, you'd better to whipe unfull hostname, localnet (192.168.x.x) and localip (127.x.x.x)!

CN=228.929.123.46 and add DNS.1=mydomain.example.com DNS.2=other.domain.org DNS....

And use only DNS address or public ip to reach your server!

Have a look there,

Subject Alternative Name at wikipedia.org

Then to see how to do this...

Provide subjectAltName to OpenSSL directly on the command line at security.stackexchange.com
Adding Subject Alternative Name (SAN) to a digital certificate at documentation.progress.com
Generate ssl certificates with Subject Alt Names on OSX at github.com/croxton

answered Jun 30 '19 at 10:34

F. Hauri - Give Up GitHub

1,057
9
14

my https server is 127.0.0.1 which I already change instead of localhost when creating server.csr. can i put that in? or does it have to be https://127.0.0.1:8080 (8080 is port im running) – alexW Jun 30 '19 at 10:42
You could have only one CN, but as many *SAN* you want. – F. Hauri - Give Up GitHub Jun 30 '19 at 10:52
I still don't get what SAN does. Is it so that the certificates can be used by more than one places? – alexW Jun 30 '19 at 10:56
*`SAN`* mean *`Subject Alternative Name`*. as *`Alternative`* to ***`CN`***. So your ip address could figure eighter under *`CN`* **or** at any place in *`SAN`*. – F. Hauri - Give Up GitHub Jun 30 '19 at 10:59
Okay then, since I don't have a domain name do I just put in my IP address for SAN? – alexW Jun 30 '19 at 11:04
Or simply generate cert without *SAN*, but for ***Public IP***, then configure the *ServerName* directive in your web server! – F. Hauri - Give Up GitHub Jun 30 '19 at 11:10
@alexW, as *New contributor*, please consider *Accept* and/or *UpVote* in stackexchange websites! ;-) – F. Hauri - Give Up GitHub Jun 30 '19 at 11:12
Ah, and TCP port is not part of x509 by default. So no matter wich port you use! – F. Hauri - Give Up GitHub Jun 30 '19 at 11:19
Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/95546/discussion-between-alexw-and-f-hauri). – alexW Jun 30 '19 at 11:50
1

1. in 2019 SAN is required, it's not alternative. CN is optional. Domain used in URL must be in SAN for browser to validate. 2. You might need to put "ip:" instead of "dns:" in SAN. – Z.T. Jun 30 '19 at 13:30
Did you restart your webserver once certs renewed? – F. Hauri - Give Up GitHub Jun 30 '19 at 21:38

Self signed ssl I created for localhost cannot be trusted even though I have already imported it to chrome

1 Answers1