I want to make a self-signed certificate for my website. I make it like the link here but the site is for chrome version 57 or older. So it works with chrome version 57 but not 58. I read that I need to add the SAN property for 58 or higher.
I wanted to ask where I need to add the SAN property and how?
You can do it with powershell. As stated in the documentation
This example creates a self-signed SSL server certificate in the computer MY store with the Subject Alternative Name set to www.fabrikam.com, www.contoso.com and Subject and Issuer name set to www.fabrikam.com.
New-SelfSignedCertificate -DnsName www.fabrikam.com, www.contoso.com -CertStoreLocation cert:\LocalMachine\My
If for some reason you need to customize the certificate more than New-SelfSignedCertificate can handle you can use XCA. It is built on top of OpenSSL and by default has template for SSL server. Documentation can be found here.
Related
Chrome now throws NET::ERR_CERT_INVALID for some certificates that are supported by other browsers.
The only clue I can find is in this list of questions about the new Chrome Root Store that is also blocking enterprise CA installations.
https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/faq.md
In particular,
The Chrome Certificate Verifier will apply standard processing to include checking:
the certificate's key usage and extended key usage are consistent with TLS use-cases.
the certificate validity period is not in the past or future.
key sizes and algorithms are of known and acceptable quality.
whether mismatched or unknown signature algorithms are included.
that the certificate does not chain to or through a blocked CA.
conformance with RFC 5280.
I verified my certificates work as expected in Edge.
Further, I verified the certificate is version "3", has a 2048-bit key, and has the extended key usage for server authentication.
I still don't understand which "standard" this certificate is expected to conform to when the browser only says "invalid". Is there a simple template or policy I can use?
Chrome now rejects TLS certificates containing a variable known as pathLenConstraint or sometimes displayed as Path Length Constraint.
I was using certificates issued by Microsoft Active Directory Certificate Services. The Basic Constraints extension was enabled, and the AD CS incorrectly injects the Path length Constraint=0 for end entity, non-CA certificates in this configuration.
The solution is to issue certificates without Basic Constraints. Chrome is equally happy with Basic Constraints on or off, so long as the path length variable is not present.
One of the better resources for troubleshooting was this Certificate Linter:
https://crt.sh/lintcert
It found several errors in the server certificate, including the path length set to zero.
I also found a thread discussing a variety of Certificate Authorities that would issue certificates the same way, so it is a fairly common issue.
https://github.com/pyca/cryptography/issues/3856
Another good resource was the smallstep open source project that I installed as an alternative CA. After generating a generic certificate, the invalid cert error went away and I realized there was something going on between the Microsoft and Google programs.
The best favour you can do yourself is to run Chrome with debug logging to find the exact cause of the issue:
chrome --enable-logging --v=1
This, I believe, will print:
ERROR: Target certificate looks like a CA but does not set all CA properties
Meanwhile it seems they have reverted this verification, which if I'm not mistaken will be released as Chrome 111 in the beginning of March.
See: https://chromium-review.googlesource.com/c/chromium/src/+/4119124
Following #Robert's answer, I used https://crt.sh/lintcert to fix all the issues that I had, so my self-signed certificate will keep on working, as it suddenly stopped working and I got NET::ERR_CERT_INVALID
Here's How I did it:
# https://www.openssl.org/docs/manmaster/man5/x509v3_config.html
cat > "$_X509V3_CONFIG_PATH" << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=critical,CA:true
keyUsage=critical,digitalSignature,nonRepudiation,cRLSign,keyCertSign
subjectAltName=#alt_names
issuerAltName=issuer:copy
subjectKeyIdentifier=hash
[alt_names]
DNS.1=somesubdomain.mydomain.com.test
EOF
openssl x509 -req \
-days "$_ROOTCA_CERT_EXPIRE_DAYS" \
-in "$_ROOTCA_PEM_PATH" \
-signkey "$_ROOTCA_KEY_PATH" \
-extfile "$_X509V3_CONFIG_PATH" \ # <--- Consuming the extensions file
-out "$_DOMAIN_CRT_PATH"
Following the above, my lint errors/issues are, and even though there's a single ERROR, my Chrome browser trusts the root CA and the self-signed certificate
cablint WARNING CA certificates should not include subject alternative names
cablint INFO CA certificate identified
x509lint ERROR AKID without a key identifier
x509lint INFO Checking as root CA certificate
For those of you who wish to generate a self-signed certificate for local development with HTTPS, the following gist does that trick- https://gist.github.com/unfor19/37d6240c35945b5523c77b8aa3f6eca0
Usage:
curl -L --output generate_self_signed_ca_certificate.sh https://gist.githubusercontent.com/unfor19/37d6240c35945b5523c77b8aa3f6eca0/raw/07aaa1035469f1e705fd74d4cf7f45062a23c523/generate_self_signed_ca_certificate.sh && \
chmod +x generate_self_signed_ca_certificate.sh
./generate_self_signed_ca_certificate.sh somesubdomain.mydomain.com
# Will automatically create a self-signed certificate for `somesubdomain.mydomain.com.test`
I have created a self signed certificate and imported the CA cert into Trusted Root Certification Authorities but Chrome still gives me ERR_CERT_COMMON_NAME_INVALID. I have followed https://gist.github.com/jchandra74/36d5f8d0e11960dd8f80260801109ab0 this guide. When opening the domain in Chrome the PEM encoded chain gives me the server and the certificate I supplied. I set both commonName and DNS.1 under alt_names to my.site.com and started chrome --host-rules="MAP my.site.com 127.0.0.1". How could I debug this? How can I check whether Chrome sees the CA I imported, and whether it tries to use it with this cert Apache supplies?
If I bypass the warning, under security in Developer Tools I see "Certificate - valid and trusted. The connection to this site is using a valid, trusted server certificate issued by unknown name." but "Certificate - missing This site is missing a valid, trusted certificate (net::ERR_CERT_COMMON_NAME_INVALID)."
What I would like to see is something like "In field X of the certificate, expected Y, got Z".
Once chrome --host-rules="MAP my.site.com 127.0.0.1" is supplied Chrome does not look for a certificate for my.site.com instead it wants 127.0.0.1.
Make sure you have IP.1 = 127.0.0.1 in your alt_names section.
I'm using Postman to test my API.
It works fine in dev env as I'm calling my server in http.
However on the acceptance testing platform, the server is in https and we are using self signed certificat.
When I try to make the call via Postman I get "Could not get any response" and it's written underneath that SSL connections are being blocked, with a link to this page.
However as notified in the comment, this does not work anymore for self signed ceritifcate and the latest chrome release.
For info, I'm using Version 59.0.3071.115 (Build officiel) (64 bits)
When I go into google settings, then certificates : chrome://settings/certificates
And I try to import an authority certificat, I get an error popin that says that my authority is not a certificat authority and it won't allow me to import it.
As I'm on linux, I tried to do what is detailed there : https://superuser.com/questions/1201552/not-a-certification-authority-while-importing-self-signed-certificate
But even though I see my certificat when I call
certutil -d sql:$HOME/.pki/nssdb -L
It still won't allow me to import it in google.
So how can one use self signed certificat under linux with Postman ?
EDIT : I was using the version from Chrome web store which is lacking SSL support. Downloaded the standalone and as #Pratik Mandrekar wrote it works fine!
You can disable SSL certificate verification in Postman. Settings->SSL certificate verification as shown below.
I'm getting this error on Chrome (v 59.0.3071.109), I have tried a couple of answers without any luck.
This is what shows in the security tab:
The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address
There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).
I followed this tutorial to create the certificate with this values:
CN = localhost
OU = ort
O = ort
L = montevideo
S = MVD
C = UY
And this is my host https://localhost:8181/Gateway-war/
So far I have tried:
Enabling this flag chrome://flags/#allow-insecure-localhost
Adding this --ignore-certificate-errors to the Chrome Shortcut, it shows a message saying this command isn't allowed because it affects security and stability
Using this workaround: reg add HKLM\Software\Policies\Google\Chrome /v EnableCommonNameFallbackForLocalAnchors /t REG_DWORD /d 1
In all the cases I restarted Chrome before trying it out.
Maybe my CN should be something more than localhost?
Any ideas are welcome
When you have configured your certificate right, you don't have to do all those workarounds to make it work. All you have to do is to add the SubjectAltName extension in your certificate to make the browser happy.
I assume you must be using a self-signed certificate. If so, your certificate must look like this for the 'SubjectAltName' extension. You could use the keystore-explorer (opensource GUI for keytool) to generate your certificate like this:
If it is a CA signed, you need to make sure you send these extension attributes in your CSR.
You need to create a certificate with the "Subject Alternative Name". If using windows one can use PowerShell. The cerificate will be stored in the windows register. You can access the certificates via certml.msc which can then be exported to a drive in certmgr.msc. An example of a certificate with "Subject Alternative Name" is bellow by using the TextExtension parameter on New-SelfSignedCertificate.
New-SelfSignedCertificate -CertStoreLocation cert:\LocalMachine\My -NotAfter (Get-Date).AddYears(10) -FriendlyName "My Network Name" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -TextExtension #("2.5.29.17={text}dns=*.example.com&ipaddress=192.168.1.1")
i have recentrly installed ssl certificate
i have bought it on http://ssls.com/ RapidSSL
but when i am clicking green https:// on url tab into chrome (when i am on ma website)
Chrome reports 'invalid certificate transparency information was supplied by the server?'
whats wrong?
what can i do to fix it?
http://prntscr.com/bqxp7m
i am using cpanel
also when i am on another page such site.com/blog there isnot any green https tab up there
You need to contact your SSL provider and ask them to submit your certificate to the certificate transparency program: https://www.certificate-transparency.org/
or buy a certificate from a provider that autmatically do it for you such as https://www.ssltrust.com.au
Same problem was, Avast replace my Intermediate certificate by own, disable Avast, restart browser, its ok now.