Getting Chrome to accept self-signed localhost certificate

后端 未结 30 2941
小蘑菇
小蘑菇 2020-11-21 11:30

I have created a self-signed SSL certificate for the localhost CN. Firefox accepts this certificate after initially complaining about it, as expected. Chrome and IE, however

30条回答
  •  忘了有多久
    2020-11-21 12:10

    WINDOWS JUN/2017 Windows Server 2012

    I followed @Brad Parks answer. On Windows you should import rootCA.pem in Trusted Root Certificates Authorities store.

    I did the following steps:

    openssl genrsa -out rootCA.key 4096
    openssl req -x509 -new -nodes -key rootCA.key -newkey rsa:4096 -sha256 -days 1024 -out rootCA.pem
    openssl req -new -newkey rsa:4096 -sha256 -nodes -keyout device.key -out device.csr
    openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 2000 -sha256 -extfile v3.ext
    

    Where v3.ext is:

    authorityKeyIdentifier=keyid,issuer
    basicConstraints=CA:FALSE
    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    subjectAltName = @alt_names
    
    [alt_names]
    DNS.1 = localhost
    IP.1 = 192.168.0.2
    IP.2 = 127.0.0.1
    

    Then, in my case I have a self hosted web app, so I need to bind certificate with IP address and port, certificate should be on MY store with private key information, so I exported to pfx format.

    openssl pkcs12 -export -out device.pfx -inkey device.key -in device.crt
    

    With mmc console (File/Add or Remove Snap-ins/Certificates/Add/Computert Account/LocalComputer/OK) I imported pfx file in Personal store.

    Later I used this command to bind certificate (you could also use HttpConfig tool):

    netsh http add sslcert ipport=0.0.0.0:12345 certhash=b02de34cfe609bf14efd5c2b9be72a6cb6d6fe54 appid={BAD76723-BF4D-497F-A8FE-F0E28D3052F4}
    

    certhash=Certificate Thumprint

    appid=GUID (your choice)

    First I tried to import the certificate "device.crt" on Trusted Root Certificates Authorities in different ways but I'm still getting same error:

    But I realized that I should import certificate of root authority not certificate for domain. So I used mmc console (File/Add or Remove Snap-ins/Certificates/Add/Computert Account/LocalComputer/OK) I imported rootCA.pem in Trusted Root Certificates Authorities store.

    Restart Chrome and et voilà it works.

    With localhost:

    Or with IP address:

    The only thing I could not achieve is that, it has obsolete cipher (red square on picture). Help is appreciated on this point.

    With makecert it is not possible add SAN information. With New-SelfSignedCertificate (Powershell) you could add SAN information, it also works.

提交回复
热议问题