Search code examples
google-chromesslcertificatekeychain

Self-signed SSL certificate (added to Keychain and marked Trusted) is displayed Invalid in Chrome

I've created Root CA, Root PEM. Then I've created mysite.key and mysite.crt for my website running on mysite.localhost Root PEM is added to Keychain and is marked as Always trust

When I visit my website on the left of the address bar I see Not Secure note. When I click on it, it is read that the Certificate is Invalid.

However, when I go further in the popup I see a chain where my Root CA cert IS trusted, My website cert IS valid. When I expand a "trust" section for the website and set it to "always trust" those changes are not saved.

What am I doing wrong? I'd like to get rid of this notice since I've marked my certificate as trusted.

enter image description here

enter image description here

enter image description here

UPDATE I've checked the certificates with openssl s_client

openssl s_client -connect raceplace.localhost:443

...
depth=0 C = CA, ST = None, L = NB, O = None, CN = raceplace.localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = CA, ST = None, L = NB, O = None, CN = raceplace.localhost
verify error:num=21:unable to verify the first certificate
verify return:1
....

But then I figured out that OpenSSL in the terminal does not use KeychainAccess, so I provide a CA root certificate.

And checking succeed :-\

openssl s_client -connect raceplace.localhost:443 -CAfile /path_to/rootCA.pem

.......
Verify return code: 0 (ok)

Chrome Version 88.0.4324.192 MacOS BigSur 11.2.1

Solution

  • Not sure what was the initial Chrome complaint, but when I visited my page the last time and expanded "Unsafe", "Proceed" and so on, I've noticed the error: NET::ERR_CERT_VALIDITY_TOO_LONG. That was because in my generation script I was so greedy and set a validity period for 999 days, and that was too much for Chrome. I've set 365 days and now it's working.

    I've put my scripts for Root CA generation and Self-signed SSL Certificates generation in my repo. https://github.com/zablik/ssl_cert_generator

    Hope it will help some other people. Any notices are welcomed.

    And thanx to @Allan Wind for helping me in comments ;)