This was really a lot of work as I’m not familiar with SSL and openssl. Took me a few days digging the net and trying many things to eventually make this work.
I was trying to make a Ubuntu client to trust a Windows webserver.
A few things I learned
- If your certificate only have Common name, but your Subject Alternative Name is not in the cert, Chrome will complain with error ERR_COMMON_NAME_INVALID
- Which is inaccurate and misleading.
- Apparently, Common Name has been technically obsolete for 2 decades(!) and now the domain name must be put in SAN, which requires using openssl extension.
- Using New-SelfSignedCertificateEx from Microsoft to generate the cert in Windows, the cert will not be trusted in Ubuntu, for some unknown reason. However if you install the cert in a Windows client and browse the website, it works.
- For some application, you need to have a Friendly Name in the cert.
Steps to do it
Instructions are from the below link
https://www.ibm.com/support/knowledgecenter/SSZQDR/com.ibm.rba.doc/LD_rootkeyandcert.html
Generate the private key of the root CA:
openssl genrsa -out rootCAKey.pem 2048
Generate the self-signed root CA certificate, with SAN, you need openssl 1.1.1
openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 3650 -out rootCACert.crt -addext “subjectAltName = DNS:<Your domain name>”
Refer to this stackoverflow question on how to add SAN: https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line
Create a pfx file to install in Windows web server.
openssl pkcs12 -export -out rootCACert.pfx -inkey rootCAKey.pem -in rootCACert.crt -name “<Your domain name>”
Afterwards, import the pfx file to the certificate store of the Windows Server using Microsoft Management Console and configure your webserver to use this certificate.
For Ubuntu Client, install to ca-certificates
sudo cp rootCACert.crt /usr/local/share/ca-certificates
sudo update-ca-certificates
Test using cURL, you may need to configure DNS or hosts file
curl https://<Your domain name>
Chrome and Firefox use their own certificate stores, so you need to add the certificates through their settings GUI. cURL will still work if cert doesn’t have SAN, but Chrome will complain as mentioned above.