-2

I created my own CA to sign localhost certs. Why does Chromium reject it? I have imported the cert into Chromium.

The output of openssl x509 -text on the signed cert:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 10 (0xa)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = Tennessee, L = Knoxville, O = Demi Obenour, OU = Demi Obenour, CN = localhost, emailAddress = demiobenour@gmail.com
        Validity
            Not Before: Jun  4 03:19:59 2017 GMT
            Not After : Jun  4 03:19:59 2018 GMT
        Subject: C = US, ST = Tennessee, O = Demi Obenour, OU = Demi Obenour, CN = localhost
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:d1:7f:58:b7:e8:d2:ea:31:29:bd:89:f8:ce:23:
                    9a:39:63:f5:67:7f:93:a9:35:cf:d7:8e:c7:0e:58:
                    90:28:f3:95:f8:a1:24:72:b5:36:9b:3a:e5:72:35:
                    f5:6a:6a:22:20:1b:35:6c:25:43:84:fa:fa:b0:0c:
                    a6:23:79:55:48:41:de:2f:17:16:51:8c:3a:20:69:
                    ce:56:35:61:bf:35:2f:8f:dc:d1:5f:ca:56:86:b8:
                    0f:df:56:0a:2b:a0:21:e8:76:fe:59:f1:65:63:04:
                    63:eb:42:19:bc:30:aa:e9:67:cc:95:c3:74:43:62:
                    ba:2d:18:54:bd:68:c9:a4:59:03:98:ba:f4:d4:ab:
                    7b:9d:8a:36:dc:14:a9:d7:26:46:c3:c3:4b:9d:95:
                    8c:5b:0e:3d:b9:81:dd:b5:f8:37:b3:a8:9f:1c:93:
                    9a:37:d8:e1:ac:6d:a6:59:15:60:94:58:16:8b:18:
                    41:c6:1f:3a:f6:ce:e6:13:15:8d:54:63:ef:ad:32:
                    1f:21:a6:7b:05:6d:56:db:5f:a6:65:92:bd:ca:a8:
                    79:e1:5f:95:2b:1c:d3:15:cf:4d:0e:f0:be:2f:de:
                    47:e9:ca:b6:f6:85:a0:0a:af:f6:58:00:f2:9b:08:
                    47:4b:84:26:ba:1c:f8:93:8f:55:d7:31:5b:24:87:
                    a7:61:ef:f3:48:c9:cc:26:e3:37:3e:10:db:be:f4:
                    8a:8f:27:ff:35:76:ef:0b:11:c6:61:94:d3:e5:d2:
                    28:bf:2d:64:f0:75:9a:df:08:08:d4:1f:49:b8:9d:
                    66:64:43:86:50:01:0e:19:96:cf:89:3e:83:ca:40:
                    92:9c:d1:3f:d9:c9:ce:43:05:0b:0c:ce:4f:8e:3f:
                    6e:66:65:bc:1d:c7:26:81:93:5b:4b:29:97:4e:ca:
                    21:86:31:98:93:3b:9b:c7:11:0e:d5:6a:67:6a:48:
                    4c:62:c5:99:ae:41:a1:d2:8c:0e:25:50:dd:b4:6e:
                    00:8a:99:a6:e7:4c:2b:4d:ca:21:13:b6:fa:78:4b:
                    b7:12:fa:bb:70:c9:f0:5a:c5:dd:b5:fa:35:9c:10:
                    cd:6e:74:ce:97:12:07:e1:30:9f:f2:f3:bc:9f:5e:
                    41:40:66:e3:e2:95:d9:3c:76:80:8e:57:cf:7c:1e:
                    ba:2d:24:f0:a1:7e:c5:6f:aa:de:6c:1c:89:ac:7c:
                    3a:d5:10:72:82:67:b2:31:a0:c3:e3:7a:50:61:81:
                    80:44:1c:c7:fc:ed:bd:4b:38:42:87:a0:1e:db:d9:
                    c2:61:f8:95:78:9a:05:2a:5b:a9:4d:bf:81:e2:d0:
                    4e:5d:9e:98:29:0d:6f:d2:1e:12:17:05:43:93:82:
                    1d:0c:bf
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Client, S/MIME, Object Signing
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                8A:A9:62:8B:12:CE:43:8E:FB:36:60:90:C3:C9:26:91:B2:3E:7A:C6
            X509v3 Authority Key Identifier: 
                keyid:43:6F:BC:BE:10:86:DE:AF:A9:39:65:5D:29:3C:10:47:F3:30:34:B4

            X509v3 Subject Alternative Name: 
                DNS:localhost, DNS:localhost
    Signature Algorithm: sha256WithRSAEncryption
         c3:bc:ee:e2:de:64:53:2b:3a:54:4f:ba:dd:45:14:a2:99:f6:
         00:95:3e:d5:05:b1:97:27:0b:40:d0:95:51:72:63:c4:89:22:
         d9:3d:1d:0a:77:ec:82:93:93:45:43:81:b1:3e:3e:6c:9c:60:
         b8:00:c1:c1:7c:07:f0:e4:79:6f:d9:14:1d:e6:61:62:c6:32:
         00:15:63:60:6b:ab:58:7c:8e:6f:5e:a9:38:c4:4b:2c:ae:bb:
         35:b8:53:e1:d7:88:96:35:b7:f5:d8:3a:cd:b2:bf:6f:32:0f:
         f5:ea:36:85:60:fa:24:b6:f1:ed:2f:af:fc:af:51:65:2f:b0:
         e6:cd:28:22:26:27:ec:2d:e5:f4:fd:b1:55:3f:2d:4c:03:2a:
         65:a4:4c:af:d1:4c:d0:0f:52:d0:54:c5:5a:0c:28:3e:69:19:
         7b:40:a2:e4:fd:55:57:f7:0d:2e:3f:a4:2f:48:97:55:df:21:
         f9:c8:8a:44:63:e4:c8:8b:5e:2b:87:07:a3:a6:df:b4:77:26:
         bf:bf:76:00:32:99:87:dc:c5:8c:b2:28:3a:62:e3:8d:f4:4e:
         34:e0:7d:89:f6:d6:93:03:df:05:73:86:d6:43:e7:db:be:66:
         de:cd:3b:72:99:a7:cd:b7:e6:a7:86:75:5d:c1:dc:80:ba:b0:
         50:86:21:1a

The output of openssl x509 -text on the CA cert

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            db:5f:d9:ca:98:3e:71:43
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = Tennessee, L = Knoxville, O = Demi Obenour, OU = Demi Obenour, CN = localhost, emailAddress = demiobenour@gmail.com
        Validity
            Not Before: Jun  2 14:46:38 2017 GMT
            Not After : May 31 14:46:38 2027 GMT
        Subject: C = US, ST = Tennessee, L = Knoxville, O = Demi Obenour, OU = Demi Obenour, CN = localhost, emailAddress = demiobenour@gmail.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:de:7d:fe:44:3b:04:d0:57:f3:44:1f:49:2e:d1:
                    a6:10:df:cb:98:e2:6a:b3:e7:5e:8a:6e:58:a8:5f:
                    23:8d:40:53:cf:bc:3d:9d:e7:7d:db:59:16:0c:53:
                    0e:f1:56:4f:b0:9a:bb:64:f4:be:76:e2:fc:79:5f:
                    c8:2d:eb:0b:ec:a9:58:b6:4a:17:57:6d:1d:d4:c6:
                    d8:e4:3b:4c:24:7b:ba:fa:4f:c5:95:af:c8:cc:38:
                    81:08:3a:09:d6:98:88:27:9f:9f:4f:ac:36:bd:4c:
                    fa:8c:65:43:f6:57:03:78:2c:c0:b1:69:2c:6a:76:
                    a3:e4:fc:f7:0c:c7:2c:79:7e:0e:1e:c9:c4:88:65:
                    60:27:78:ca:02:32:04:03:ab:1a:de:42:c7:d1:58:
                    89:31:af:f2:47:ac:e7:e4:c4:47:2f:22:91:16:64:
                    dc:b8:34:5f:6f:24:6e:e8:80:ed:ca:1a:7c:7a:81:
                    6a:fe:a6:6c:27:af:7e:4e:92:76:81:fd:d0:32:a4:
                    7b:ca:19:21:c6:a1:ad:4a:ca:52:60:00:70:14:82:
                    eb:22:74:d4:d6:a2:6d:c8:2b:cd:9a:cb:7a:03:74:
                    7e:f6:85:1e:03:29:34:1f:c5:32:bf:c1:e0:0e:b0:
                    1b:41:56:10:a0:1f:5f:b8:2d:b0:16:fb:aa:81:f6:
                    cf:2b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                43:6F:BC:BE:10:86:DE:AF:A9:39:65:5D:29:3C:10:47:F3:30:34:B4
            X509v3 Authority Key Identifier: 
                keyid:43:6F:BC:BE:10:86:DE:AF:A9:39:65:5D:29:3C:10:47:F3:30:34:B4

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         02:0f:a6:1b:bb:89:dd:7f:15:5a:65:a9:f1:ed:19:07:db:63:
         6e:f5:68:d0:10:97:8d:9c:86:94:ba:5b:e7:a5:43:7a:65:fc:
         0c:88:03:ec:7e:be:25:bc:82:56:bb:a5:ce:a2:82:21:42:4e:
         db:58:d3:d4:62:67:cd:86:18:3d:ca:af:de:7a:e8:13:53:b7:
         61:0c:0c:b8:01:54:1e:58:67:54:0e:e8:d8:cd:25:5b:01:94:
         00:28:5c:80:02:f1:56:53:9e:32:de:d8:73:6f:e2:b1:2e:b5:
         f1:15:f9:c4:8b:b2:54:0d:59:79:b0:d3:d8:b8:3b:03:47:b4:
         c5:55:38:19:b6:d8:cc:a8:5e:10:42:5e:a7:e3:cf:8d:bb:e4:
         ff:c8:e0:2f:2b:67:3e:95:db:10:0f:7f:7b:83:51:2c:c4:f3:
         49:ff:3c:21:33:14:aa:cf:77:28:29:91:04:3c:d8:49:e9:00:
         82:f2:51:5e:da:74:3f:b8:99:8f:b8:54:b4:11:d6:4c:1e:98:
         84:a5:e0:91:85:90:0d:95:3f:94:b2:a4:d3:d5:31:ec:f7:3d:
         88:dd:54:3c:26:1a:35:12:b7:14:ce:86:7b:0a:a5:f3:eb:1a:
         05:49:ad:b0:2e:ca:6c:65:b8:bd:59:76:82:2a:49:7f:79:99:
         01:b1:c5:cb

Edit: The error is NET::ERR_CERT_INVALID

jww
  • 97,681
  • 90
  • 411
  • 885
Demi
  • 3,535
  • 5
  • 29
  • 45
  • 1
    What error do you get? – SLaks Jun 05 '17 at 22:30
  • @SLaks see edit – Demi Jun 05 '17 at 22:31
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306) – jww Jun 06 '17 at 00:05

1 Answers1

-1

Server Certificate:

X509v3 Key Usage: 
    Digital Signature, Non Repudiation, Key Encipherment

Key Encipherment is RSA key transport. Key transport is now frowned upon, and the move is towards algorithms with forward secrecy. Chrome may be having trouble with it.

The server's certificate also lacks Extended Key Usage (EKU) of Server Authentication. I seem to recall the CA/B Baseline Requirements require it. Chrome may be having trouble with it.

This looks unusual, but I don't think its causing the failure:

X509v3 Subject Alternative Name: 
    DNS:localhost, DNS:localhost

CA Certificate:

The CA certificate is missing required Key Usage, so the problem could be the CA is not allowed to issue certificates. Effectively you have a CA that can't do anything.

Its unusual to place a hostname in the CA's subject common name. I'm guessing there's something not quite right in your openssl.conf file:

 Issuer: C = US, ST = Tennessee, ..., CN = localhost, emailAddress = demiobenour@gmail.com

Also see see How do you sign Certificate Signing Request with your Certification Authority and How to create a self-signed certificate with openssl? The answers detail the bits you need in your certificates and the standard they come from.

jww
  • 97,681
  • 90
  • 411
  • 885