{"id":730,"date":"2020-06-04T02:41:43","date_gmt":"2020-06-04T02:41:43","guid":{"rendered":"https:\/\/bruceng.com\/dev\/?p=730"},"modified":"2020-06-10T06:33:13","modified_gmt":"2020-06-10T06:33:13","slug":"create-a-self-signed-root-ca-certificate-that-works-in-chrome-in-ubuntu-using-openssl","status":"publish","type":"post","link":"https:\/\/bruceng.com\/dev\/?p=730","title":{"rendered":"Create a self signed root CA certificate that works in Chrome in Ubuntu using openssl"},"content":{"rendered":"\n<p>This was really a lot of work as I&#8217;m not familiar with SSL and openssl. Took me a few days digging the net and trying many things to eventually make this work.<\/p>\n\n\n\n<p>I was trying to make a Ubuntu client to trust a Windows webserver.<\/p>\n\n\n\n<p>A few things I learned<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>If your certificate only have Common name, but your Subject Alternative Name is not in the cert, Chrome will complain with error ERR_COMMON_NAME_INVALID<ul><li>Which is inaccurate and misleading.<\/li><li>Apparently, Common Name has been technically obsolete for 2 decades(!) and now the domain name must be put in SAN, which requires using openssl extension.<\/li><\/ul><\/li><li>Using New-SelfSignedCertificateEx from Microsoft to generate the cert in Windows, the cert will not be trusted in Ubuntu, for some unknown reason. However if you install the cert in a Windows client and browse the website, it works.<\/li><li>For some application, you need to have a Friendly Name in the cert.<\/li><\/ul>\n\n\n\n<p>Steps to do it<\/p>\n\n\n\n<p>Instructions are from the below link<\/p>\n\n\n\n<p><a href=\"https:\/\/www.ibm.com\/support\/knowledgecenter\/SSZQDR\/com.ibm.rba.doc\/LD_rootkeyandcert.html\">https:\/\/www.ibm.com\/support\/knowledgecenter\/SSZQDR\/com.ibm.rba.doc\/LD_rootkeyandcert.html<\/a><\/p>\n\n\n\n<p>Generate the private key of the root CA:<\/p>\n\n\n\n<p>openssl genrsa -out rootCAKey.pem 2048<\/p>\n\n\n\n<p>Generate the self-signed root CA certificate, with SAN, you need openssl 1.1.1<\/p>\n\n\n\n<p>openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 3650 -out rootCACert.crt -addext &#8220;subjectAltName = DNS:&lt;Your domain name&gt;&#8221;<\/p>\n\n\n\n<p>Refer to this stackoverflow question on how to add SAN: <a href=\"https:\/\/security.stackexchange.com\/questions\/74345\/provide-subjectaltname-to-openssl-directly-on-the-command-line\">https:\/\/security.stackexchange.com\/questions\/74345\/provide-subjectaltname-to-openssl-directly-on-the-command-line<\/a><\/p>\n\n\n\n<p>Create a pfx file to install in Windows web server.<\/p>\n\n\n\n<p>openssl pkcs12 -export -out rootCACert.pfx -inkey rootCAKey.pem -in rootCACert.crt -name &#8220;&lt;Your domain name&gt;&#8221;<\/p>\n\n\n\n<p>Afterwards, import the pfx file to the certificate store of the Windows Server using Microsoft Management Console and configure your webserver to use this certificate.<\/p>\n\n\n\n<p>For Ubuntu Client, install to ca-certificates<\/p>\n\n\n\n<p>sudo cp rootCACert.crt \/usr\/local\/share\/ca-certificates<\/p>\n\n\n\n<p>sudo update-ca-certificates<\/p>\n\n\n\n<p>Test using cURL, you may need to configure DNS or hosts file<\/p>\n\n\n\n<p>curl https:\/\/&lt;Your domain name&gt;<\/p>\n\n\n\n<p>Chrome and Firefox use their own certificate stores, so you need to add the certificates through their settings GUI. cURL will still work if cert doesn&#8217;t have SAN, but Chrome will complain as mentioned above.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This was really a lot of work as I&#8217;m not familiar with SSL and openssl. Took me a few days digging the net and trying many things to eventually make this work. I was trying to make a Ubuntu client to trust a Windows webserver. A few things I learned If your certificate only have &hellip; <a href=\"https:\/\/bruceng.com\/dev\/?p=730\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Create a self signed root CA certificate that works in Chrome in Ubuntu using openssl&#8221;<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,14],"tags":[87,107,86],"class_list":["post-730","post","type-post","status-publish","format-standard","hentry","category-problems","category-tips-and-tricks","tag-certificates","tag-openssl","tag-security"],"_links":{"self":[{"href":"https:\/\/bruceng.com\/dev\/index.php?rest_route=\/wp\/v2\/posts\/730","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bruceng.com\/dev\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bruceng.com\/dev\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bruceng.com\/dev\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/bruceng.com\/dev\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=730"}],"version-history":[{"count":6,"href":"https:\/\/bruceng.com\/dev\/index.php?rest_route=\/wp\/v2\/posts\/730\/revisions"}],"predecessor-version":[{"id":738,"href":"https:\/\/bruceng.com\/dev\/index.php?rest_route=\/wp\/v2\/posts\/730\/revisions\/738"}],"wp:attachment":[{"href":"https:\/\/bruceng.com\/dev\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=730"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bruceng.com\/dev\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=730"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bruceng.com\/dev\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=730"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}