0

I used this to generate .crt and .key files:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes  -keyout example.key -out example.crt -subj "/CN=example.com"  -addext "subjectAltName=DNS:example.com,DNS:www.example.net,IP:127.0.0.1"

I have this node.js code:

var https = require('https');
var fs = require('fs');
var privateKey = fs.readFileSync('sslcert/example.key', 'utf8');
var certificate = fs.readFileSync('sslcert/example.crt', 'utf8');
var credentials = { key: privateKey, cert: certificate };
var express = require('express');
var app = express();
httpsServer.listen(8443);

I could use Postman and get the response using the 8443 port. When I use the browser, I get this error:

127.0.0.1:8443 uses an invalid security certificate.
The certificate does not come from a trusted source.

I installed the .crt file on my Windows machine. I also tried to import the .crt file to Firefox. When I try to import it under "Your certificates" I get this error:

This personal certificate can’t be installed because you do not own the corresponding private key which was created when the certificate was requested.

When I import it to "Authorities" it works. Why? My self signed certificate acts as a CA?

Rony Tesler
  • 1,207
  • 15
  • 25
  • 1
    Self-signed root certs are only CAs, since they have no possible outside issuer (hence the name, *self signed*). Certs belong in one of three stores: Trusted Root CAs, Intermediate CAs, and simple Certificates. Self signed go in Trusted Root, CAs issued by root certs (or issued by CAs issued by root certs, etc.) go in Intermediate CAs, and "end" certs (usually some form of identity) go in Certificates. – WhozCraig Mar 25 '22 at 05:14
  • Certificates for server should not exceed a life time of more than 365 days. Most browsers just reject certificates that have a longer life time. – Robert Mar 25 '22 at 16:05
  • @WhozCraig So the .crt I created is also the certificate of the server's private key and is also a CA? – Rony Tesler Mar 25 '22 at 21:02
  • What if I use a normal public domain and a known CA, then in the DNS records I have an A record that points to a local IP in my LAN, that should work? – Rony Tesler Mar 26 '22 at 00:25
  • @Robert I changed the life time to 364 days, that didn't help. – Rony Tesler Mar 26 '22 at 00:31
  • 1
    Rony: postman ignores cert errors unless you explicitly turn on verification; it's intended for development use where there is no security and no need for it. @Robert: while IME public CAs _issue_ 365 days (maybe 366 for leapyear), CABforum rules allow 397 or 398 days (1 year plus 1 month rounded up) and I'd be astonished if any browser rejects what CABforum allows. (Until recently they allowed roughly 2 years plus 3 months, and before that 3 years plus 3 months.) – dave_thompson_085 May 01 '22 at 11:07

0 Answers0