tl; dr Create a certificate issued by your own CA (see script below)
Here is what I found. Correct me where I am wrong.
There are CA (certification authorities). They issue certificates (CSR mark) for other CAs (intermediate CAs) or servers (endpoint certificates). Some of them are indigenous authorities. They have self-signed certificates issued by themselves. That is, as a rule, there is a chain of trust that comes from the server certificate to the root certificate. And there is no one who would vouch for the root certificate. Thus, OS's has a root certificate store (or trust rule store), a system list of trusted root certificates. Browsers have their own trust lists, which consist of a system list plus certificates that the user trusts.
In Chromium, you manage certificates in chrome: // settings / certificates. In Firefox Preferences > Privacy & Security > Certificates > View Certificates . Both have a Power tab, which is a list of trusted root certificates. And the "Servers" tab is a list of trusted server certificates.
To obtain a certificate, you create a CSR (Certificate Signing Request), send it to the CA. The CA signs the CSR, turning it into a trusted certificate in the process.
Certificates and CSRs are a group of fields with information and a public key. Some of the fields are called extensions. A CA certificate is a certificate with basicConstraints = CA:true .
You can check certificate errors in Chromium at Developer Tools > Security .
Trusted Certificates Nationwide
When you change the OS root directory repository, you need to restart the browser. You change it with:
# trust anchor path/to/cert.crt
trust places CA certificates under the " trust list " category or "other record" otherwise. CA certificates are displayed on the Power tab in browsers or on the Servers tab.
Firefox does not trust server certificates from the root OS certificate store, unlike Chromium. Both trust CA certificates from the root certificate store of the operating system.
Trusted certificates in the browser
In Chromium and Firefox, you can add (import) certificates to the Power tab. If you try to import a non-CA certificate, you will receive a "Not the Certificate Authority" message. After selecting the file, a dialog box appears in which you can specify the trust settings (when to trust the certificate). The appropriate option for creating the site is "Trust this certificate to identify websites."
In Chromium, you can add (import) certificates on the Servers tab. But they either go to the "Authorities" tab (CA certificates, and after selecting the file the trust settings dialog is not displayed), or on the "Other" tab (if the certificate is not CA).
In Firefox, you cannot accurately add a certificate to the Servers tab. You are adding exceptions. And you can trust the certificate without any extensions (poor).
Self-Signed Certificate Extensions
My system comes with the following default settings (extensions to add) for certificates:
basicConstraints = critical,CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer
Adapted from /etc/ssl/openssl.cnf , section v3_ca . Read more about it here .
In addition, Chromium considers a certificate invalid when it does not have subjectAltName = DNS:$domain .
Non-Self-Propelled Certificate Extensions
From the [ usr_cert ] /etc/ssl/openssl.cnf :
basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer
When a browser trusts a self-signed certificate
In order for Chromium to trust a self-signed certificate, it received basicConstraints = CA:true and subjectAltName = DNS:$domain . For Firefox, even this is not enough:
basicConstraints = critical,CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer subjectAltName = DNS:$domain
When a browser trusts a certificate issued by its own CA
Firefox does not need extensions, but Chromium requires subjectAltName .
openssl cheat sheet
openssl genpkey -algorithm RSA -out "$domain".key - generate a private key ( man )
openssl req -x509 -key "$domain".key -out "$domain".crt - create a self-signed certificate ( man )
Without -subj he will ask questions regarding a distinguished name (DN) such as common name (CN), organization (O), locality (L). You can answer them "in advance": -subj "/CN=$domain/O=$org" .
To add the subjectAltName extension, you must either have a configuration where all of this is specified, or add a section to the configuration and tell openssl its name using the -extensions switch:
-config <(cat /etc/ssl/openssl.cnf - <<END [ x509_ext ] basicConstraints = critical,CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer subjectAltName = DNS:$domain END ) -extensions x509_ext
openssl req -new -key "$domain".key -out "$domain".csr - generate CSR, it can take the -subj ( man ) option
openssl x509 -req -in "$domain".csr -days 365 -out "$domain".crt \ -CA ca.crt -CAkey ca.key -CAcreateserial - CSR sign ( man )
Doesn't work without -CAcreateserial . It creates the ca.srl file, where it stores the serial number of the last generated certificate. To add subjectAltName , you will need the -extfile switch:
-extfile <(cat <<END basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer subjectAltName = DNS:$domain END )
openssl req -in $domain.csr -text -noout - view CSR ( man )
openssl x509 -in $domain.crt -text -noout - view certificate ( man )
Create a self-signed certificate
(you will need an exception in Firefox to work)
Generate certificate issued by own CA
Web server configuration
Nginx:
server { listen 443 ssl; ssl_certificate ssl/localhost.crt; ssl_certificate_key ssl/localhost.key; ...
Morbo:
carton exec morbo --listen='https://*:3000?cert=localhost.crt&key=localhost.key' \ site.pl
PS I am running Chromium 65.0.3325.162, Firefox 59.0 and openssl-1.1.0.g .
Window
There seems to be no trust utility on Windows. On Windows, you have two stores : certificates of the local computer and the current user are stored. It makes no sense to use the Local Certificate Certificate Store, since we only make it work for our current user. Then there is reason. With two predefined ones, the most interesting are: trusted root certification authorities and intermediate certification stores. Commonly referred to as root and CA on the command line.
You can access the Chrome Certificate Manager by following the chrome settings: //// search = Manage% 20 certificates, and then click Manage Certificates. The most interesting are the Trusted Root Certification Authorities tabs and the Middle Certification Authority tabs.
One way to obtain certificates is controlled through the command line :
>rem list Current User > Trusted Root Certification Authorities store >certutil.exe -store -user root >rem list Local Machine > Intermediate Certification Authorities store >certutil.exe -store -enterprise CA >rem GUI version of -store command >certutil.exe -viewstore -user CA >rem add certificate to Current User > Trusted Root Certification Authorities store >certutil.exe -addstore -user root path\to\file.crt >rem delete certificate from Current User > Trusted Root Certification Authorities store by serial number >certutil.exe -delstore -user root 03259fa1 >rem GUI version of -delstore command >certutil.exe -viewdelstore -user CA
The results are as follows (for local computer stores and current user repositories):
root localhost.crt error ca.crt appears in Trusted Root Certification Authorities tab CA localhost.crt doesn't work, appears in Other People tab ca.crt doesn't work, appears in Intermediate Certification Authorities tab
Other parameters will be double-clicking on the certificate in Explorer, importing certificates from the Chrome Certificate Manager, using the MMC Certificates snap-in (run certmgr.msc ), or using CertMgr.exe .
For those who have grep , here's how to quickly check where the certificate is located:
>certutil.exe -store -user root | grep "localhost\|^root\|^CA" ^ & certutil.exe -store -user CA | grep "locahost\|^root\|^CA" ^ & certutil.exe -store -enterprise root | grep "localhost\|^root\|^CA" ^ & certutil.exe -store -enterprise CA | grep "localhost\|^root\|^CA"
Therefore, installing a CA certificate in Current User> Trusted Root Certification Authority is the best option. And make sure not to forget to restart the browser .
Additional reading
Openssl
genpkey
req
x509
OpenSSL Certificate Authority
Certificates for localhost
iamaCA - Become your own certification authority and distribute certificates
Firefox and self-signed certificates
Chrome certificate page bypass