Create a self signed root CA certificate that works in Chrome in Ubuntu using openssl

This was really a lot of work as I’m not familiar with SSL and openssl. Took me a few days digging the net and trying many things to eventually make this work.

I was trying to make a Ubuntu client to trust a Windows webserver.

A few things I learned

  • If your certificate only have Common name, but your Subject Alternative Name is not in the cert, Chrome will complain with error ERR_COMMON_NAME_INVALID
    • Which is inaccurate and misleading.
    • Apparently, Common Name has been technically obsolete for 2 decades(!) and now the domain name must be put in SAN, which requires using openssl extension.
  • Using New-SelfSignedCertificateEx from Microsoft to generate the cert in Windows, the cert will not be trusted in Ubuntu, for some unknown reason. However if you install the cert in a Windows client and browse the website, it works.
  • For some application, you need to have a Friendly Name in the cert.

Steps to do it

Instructions are from the below link

https://www.ibm.com/support/knowledgecenter/SSZQDR/com.ibm.rba.doc/LD_rootkeyandcert.html

Generate the private key of the root CA:

openssl genrsa -out rootCAKey.pem 2048

Generate the self-signed root CA certificate, with SAN, you need openssl 1.1.1

openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 3650 -out rootCACert.crt -addext “subjectAltName = DNS:<Your domain name>”

Refer to this stackoverflow question on how to add SAN: https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line

Create a pfx file to install in Windows web server.

openssl pkcs12 -export -out rootCACert.pfx -inkey rootCAKey.pem -in rootCACert.crt -name “<Your domain name>”

Afterwards, import the pfx file to the certificate store of the Windows Server using Microsoft Management Console and configure your webserver to use this certificate.

For Ubuntu Client, install to ca-certificates

sudo cp rootCACert.crt /usr/local/share/ca-certificates

sudo update-ca-certificates

Test using cURL, you may need to configure DNS or hosts file

curl https://<Your domain name>

Chrome and Firefox use their own certificate stores, so you need to add the certificates through their settings GUI. cURL will still work if cert doesn’t have SAN, but Chrome will complain as mentioned above.

Cannot find Certificate when configuring IIS bindings

When configuring bindings, IIS list certificates in the personal store.

So when generating a certificate using Powershell or Openssl, make sure the cert is in the Personal store. Then it will show up when configuring SSL bindings in IIS manager.

In order for the browsers to trust the cert, install self-signed certs to the trusted root CA store. But don’t remove it from Personal store, because it’s needed for bindings.