0

Generate self-signed root certificate using makecert.exe and imported in Trusted Root Certification Authorities.

Since, Mozilla Firefox has it own list of Certification Authority (CA) certificates, imported self-signed certificate into Firefox's Authority certificates list.

Generate derived certificate with CN=*.test.com

Setup proxy server which uses self-signed certificate.

Browsing something.test.com with Internet Explorer and Chrome, certificate is accepted and no security issue warning is shown. Firefox shows error message

'something.test.com uses an invalid security certificate. The certificate is only valid for *.test.com (Error code: ssl_error_bad_cert_domain)'.

Problem seems to be about using wildcard in CN, because if i generate derived certificate with CN=something.test.com no error is shown for none of the browsers.

tchelidze
  • 8,050
  • 1
  • 29
  • 49
  • I have no idea how your certificate really looks like. But the wildcard must be in the subject alternative name and not CN so that it works with all browsers. If you still have problems please post the certificates you have used to that one can actually reproduce your problem. – Steffen Ullrich Nov 05 '15 at 13:46
  • Thanks for reply. i am creating Root and derived certificates with following cmd command, respectively. makecert.exe -ss Root -n "CN=RootCAName, O=Some Org" -sky signature -cy authority -m 120 -a sha256 -eku 1.3.6.1.5.5.7.3.1 -b 11/02/2015 -h 1 -r makecert.exe -ss My -n "CN=*.facebook.com, O=Some Org" -sky exchangcy end -m 120 -a sha256 -eku 1.3.6.1.5.5.7.3.1 -b 11/03/2015 -pe -in "RootCAName" -is Root – tchelidze Nov 05 '15 at 13:51
  • "If you still have problems please post the certificates you have used to that one can actually reproduce your problem" - I see no certificates only instructions. If you want to have help from others make it easy for them to reproduce your problem. Also, add details in a well-readable format to your question and don't throw them in an unreadable way into some comment. – Steffen Ullrich Nov 05 '15 at 14:26
  • You are right, commands are not well formatted. thought that it would be easier to show exact command how certificate was created to see all of the configuration parameters, rather than sending .cer files (since with that commands, that cer files can be created easily). – tchelidze Nov 05 '15 at 14:50
  • It does not matter which tool was used for creation of the certificates but the contents of the certificates matter. Apart from that not everybody has makecert.exe (there are OS outside of windows). – Steffen Ullrich Nov 05 '15 at 15:05
  • Okey Steffen, my goal is to find solution, not to argue with site users, So i will be glad if you can give me some suggestion. – tchelidze Nov 05 '15 at 15:17
  • My suggestion was to provide the certificates so that one could have a closer look whats going on and maybe reproduce the problem. – Steffen Ullrich Nov 05 '15 at 15:31
  • ***`CN=www.example.com`*** is probably wrong. Hostnames always go in the *SAN*. If its present in the *CN*, then it must be present in the *SAN* too (you have to list it twice in this case). For more rules and reasons, see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) You will also need to place the self-signed certificate in the appropriate trust store. – jww Dec 17 '17 at 19:32

1 Answers1

1

Solved problem by using Multi-Domain (SAN) Certificate.

makecert.exe is unable to generate SAN Certificate. at least i can't find out how.

Used OpenSSL to generate SAN Certificate and it worked.

OpenSSL PKI Tutorial is good resource to know how generate SAN Certificate.

tchelidze
  • 8,050
  • 1
  • 29
  • 49
  • Also see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) You will also need to place the self-signed certificate in the appropriate trust store. – jww Dec 17 '17 at 19:31