All geek questions in one place

Chrome NET error :: ERR_CERT_AUTHORITY_INVALID with a self-signed certificate in LocalHost

I am trying to set up a development environment on my local PC. Since the producer site supports HTTPS (who is not these days?), I want to have this also on localhost. I thought it would be easy, but no.

I have an XAMP installation and configure everything so that I can access the website. However, whenever I go to any page on the local site, I get a warning about chrome:

NET :: ERR_CERT_AUTHORITY_INVALID

I tried to solve this problem as follows:

Getting Chrome to accept a self-signed local certificate

I also created a certificate with the correct Subject Alternative Name (SAN) section based on this:

https://deliciousbrains.com/https-locally-without-browser-privacy-errors/

After that, I generated a CER or P7B file and imported it into Chrome. I restarted both Apache and Chrome.

I put the certificate in trusted root certificate authorities. However, Chrome decided, however, to place it in the intermediary root certification authorities ...

I am using Chrome 61, I had the same in 60.

So for some reason, I can’t install a self-signed certificate and continue to receive this warning, which basically makes it impossible to develop on the local host ...

I understand that this self-signing is not entirely trustworthy, but should there be a way to develop it offline? It makes no sense that we should now create websites? ...

Any ideas?

+5
source share
3 answers

Here are my instructions using the KeyStore Explorer tool.

The 2 things that I was previously missing when I created the certificate were:

  • AKID (authorization key identifier) ​​- select the same "CN =" that you used when creating it.
  • Adding to the "Basic restrictions" parameter (do not select "CA")

Without these two things, Chrome will generate warnings / errors, even if you installed a self-signed certificate in the MS-CAPI PKI trusted certificate store (as a "trusted root center").

Here are the steps I used.

Instructions using KSE (KeyStore Explorer) Create a JKS Creating a self-signed certificate Open KeyStore Explorer File | New | JKS | OK Create a Password for your JKS file File | Save as... | enter your password Enter file name | OK Tools | Generate Key Pair Select Algorithm and Key Size (ie 2048) | OK Select validity period (ie 5 years) Select Name (Book icon) | Enter in Name fields | OK Ie "CN=localhost…<or SERVER_NAME>" Add Extensions (Very Important), this determines what type of certificate it will be and how it can be used. This example will be for a standard server certificate with SSL. Add in the Key Usage item Add in the Digital Signature and Key Encipherment options checkbox Add in the EKU (Extended Key Usage) options Select both of these options: TLS Web Client Authentication TLS Web Server Authentication Add in the SANs (Subject Alternative Name) Add in all the needed DNS names and IP Addresses (if applicable) for which this server will be used. (repeat for all desired values) (eg 127.0.0.1 and localhost (or <SERVER_NAME>) It will look something like this when it done When it done you will see all the fields with the OIDs (Object Identifiers) listed | OK | OK Add in the AKID (Authority Key Identifier) Add Extensions "+" Add Extension Type | Authority Key Identifier Select the Authority Cert Issuer of the CN that you created above (.eg "CN=localhost...") | OK Add in a "Basic Constraints" (do NOT check "Subject is a CA") When you're done you'll see these listed: hit "OK" Note: the Basic Constraints and AKID (Authority Key Identifer) are needed for the Chrome Browser to validate the self-signed certificate as a trusted certificate. Otherwise you'll see warning or error messages even after you have add this certificate, explicitly, to your MS-CAPI Trusted Root certificates. Enter in the Alias of the keypair name you want to use Enter in the private keypair password *Note: this password MUST be the same as the JKS file keystore password or Java may fail silently when trying to use this certificate. You should see a message indicating success. | OK Then, save the File | Save
+2
source

I fixed the exact same problem by following this .

The problem seemed to be related to how the certificate was created.

Below is the code above.

 #!/usr/bin/env bash mkdir ~/ssl/ openssl genrsa -des3 -out ~/ssl/rootCA.key 2048 openssl req -x509 -new -nodes -key ~/ssl/rootCA.key -sha256 -days 1024 -out ~/ssl/rootCA.pem #!/usr/bin/env bash sudo openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <( cat server.csr.cnf ) sudo openssl x509 -req -in server.csr -CA ~/ssl/rootCA.pem -CAkey ~/ssl/rootCA.key -CAcreateserial -out server.crt -days 500 -sha256 -extfile v3.ext

server.csr.cnf file

 [req] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = dn [dn] C=US ST=New York L=Rochester O=End Point OU=Testing Domain emailAddress=your-administrative-address@your-awesome-existing-d omain.com CN = localhost

v3.ext file

 authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = localhost
+1
source

There is a large Java-based GUI utility that I use to create and manage all of the PKI things called KeyStore Explorer. Much simpler than all command line options:

http://keystore-explorer.org/

+1
source

Source: https://habr.com/ru/post/1272020/

More articles:


All Articles