How to get Chrome/browser to accept my SSL cert (signed by intermediate cert for my own CA)
I come from a DEV background, but trying to improve my sec/ops skills to become more versatile.
I've set up my own local certificate authority following this guide (albeit fairly loosely).
I successfully created a root pair (key & cert), an intermediate pair, and a server pair for test.mydomain.com.
I then configured nginx as a service proxy to an Node.js web API (served by Express FWIW). Both nginx and the nodejs service are containerised and I'm just using docker-compose to run this locally. I've also added a hosts entry so that I can access my service using test.mydomain.com. Eventually I want to implement the service-proxy/sidecar pattern in Kubernetes (where nginx and the (micro)service run in the same pod), but for now I'm just trying to get it working in docker.
It was all working over HTTP, so the next step is to get it working for HTTPS (where TLS terminates at the nginx service-proxy and the request then gets proxied to the Node.js service over HTTP). It is working, but I can't get my browser (Chrome running in Windows) to accept my certificate.
I've tried a few combinations of importing certificates into Windows certificate stores including:
- importing the root certificate into the trusted root CAs certificate store
- importing the intermediate certificate into the intermediate CAs certificate store
- chaining the root and intermediate certs and importing to the root CAs certificate store
but I can't get Chrome to accept my certificate.
FYI nginx is configured as follows
ssl_certificate /etc/ssl/test.mydomain.com.cert.pem;
ssl_certificate_key /etc/ssl/private/test.mydomain.com.key.pem;
Should I be chaining the server, intermediate, & root certs for the ssl_certificate setting in nginx?.. and what certificate (or chained certificate) should I be importing to which certificate store?
I also noticed there's a ssl_trusted_certificate nginx setting, which I'm not sure if I should be using...
Cheers, Ryan.
Ok, so I finally got it all working. There were a few things...
I managed to get things working in Firefox first, but Chrome was still failing. This was the clue that I needed - turns out Chrome requires certificates to include one or more Subject Alternative Names as opposed to just a Common Name (which is evidently acceptible to Firefox).
I had to configure Subject Alternative Names when I created and signed the certificate request.
The rest was fairly easy.
In nginx, ssl_certificate is pointing at a chained certificate (server cert + intermediate cert).
and then I had to import the root certificate into the trusted root CAs for the local computer.
Restart chrome and voila:
- "aborting due to insecure configuration" while configuring TLS on Rust rocket server
- How to wrap net.Conn.Read() in Golang
- " An operation was attempted on something that is not a socket" when I try to add SSL authentication
- Error Importing SSL certificate : Not an X.509 Certificate
- SSL verification error at depth 0: unable to get local issuer certificate (20)
- Keycloak SSL setup using docker image
- Make OpenSSL accept expired certificates
- .NET Framework equivalent of IApplicationBuilder.UseForwardedHeaders()
- Setting up SSL on a local xampp/apache server
- Problem when installing Python from source, SSL package missing even though openssl installed
- NGINX to reverse proxy websockets AND enable SSL (wss://)?
- Is it safe sharing Self-signed certificate to other persons?
- curl - Is data encrypted when using the --insecure option?
- SSL certificate installation on Wildfly server
- Enable SSL for my WCF service
- Gracefully Shutdown TLS connection in C OpenSSL
- Google Chrome localhost | NET::ERR_CERT_AUTHORITY_INVALID
- IntelliJ changes cipher spec after I set it in the properties
- How to change/tweak Python 3.10 default SSL settings for requests - sslv3 alert handshake failure
- SSL peer shut down incorrectly in Java
- TLS/SSL Connection for MQTT in java
- Nginx does redirect, not proxy
- kubectl unable to connect to server: x509: certificate signed by unknown authority
- Android System.err: javax.net.ssl.SSLHandshakeException: Handshake failed
- Error when importing ssl in Python 3.7.4 on macOS 10.14.6
- Can send an SSL message via mosquitto but getting CERTIFICATE_VERIFY_FAILED from python paho script
- How to make Python use CA certificates from Mac OS TrustStore?
- How to set Telegram bot webhook?
- Is there a way to make Firefox ignore invalid ssl-certificates?
- How to establish TLS session in python using PKCS11