1
Software Versions:
Ubuntu Linux 22.04
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
Google Chrome 106.0.5249.119

Hi, I'm trying to generate self signed certificates for two way TLS. Server is on an AWS EC2 instance. The web browser is running on the AWS workspace. I've been trying everything I've read online to get Chrome to trust the certificate, but so far no luck.

Here is the generation script:

#!/bin/bash

# Generate CA
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 730 -key ca.key -out ca.crt -config req.conf

# Generate client cert
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr -config req.conf
openssl x509 -req -days 730 -in client.csr -CA ca.crt \
  -CAkey ca.key -set_serial 01 -out client.crt

# Generate server cert
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr -config req.conf
openssl x509 -req -in server.csr -days 730 -CA ca.crt \
  -CAkey ca.key -set_serial 01 -out server.crt

This is a snapshot of the config file:

enter image description here

The Common Name is set to the IP address, but from what I've read the CN doesn't really matter. The subjectAltName(s) are set to the IP address and every DNS name that the domainname command reported using various options.

When I import ca.crt into Chrome Authorities, I set the trust settings for identifying websites and identifying software makers. The certificate looks fine in the Chrome viewer after I import it. enter image description here

But I keep getting the NET::ERR_CERT_COMMON_NAME_INVALID message. enter image description here

This is the first time I'm trying to do this, so maybe I'm missing something obvious? Let me know if any additional information would be helpful.

Thanks,

Gene

Thank you Mr. President,

Yes, I think the issue is because the ca.crt contains the SANs, but the server.crt does not. I have tried multiple options and cannot seem to get them included. For now I'm going to abandon trying to do two way TLS, since I can make a cert that works for regular TLS with this script.

#!/bin/bash
openssl req -nodes -new -x509 -keyout key.pem -out cert.pem -config req.conf

# The root CA cert must be installed as a trusted root certificate.
sudo rm -r /usr/local/share/ca-certificates/cert.pem
sudo cp cert.pem /usr/local/share/ca-certificates
sudo update-ca-certificates

Gene

geenweb
  • 97
  • 1
  • 7
  • Check and see what the certificate looks like from Chrome's point-of-view. It seems that the certificate the website is using doesn't have SANs. Also, this question might be off-topic here, perhaps better a better fit for [webmasters](https://webmasters.stackexchange.com/). – President James K. Polk Oct 25 '22 at 14:58

0 Answers0