2

I am creating a local app that starts a webserver in the localhost:8080 address. I am trying to create a certificate for it so that I can access it using HTTPS, but I am having a hard time doing this.

First I created my own CA and then I created a certificate with the localhost:8080 common name. Then I added my CA to the trusted authorities on my computer (I am using Windows 10 by the way), however when I opened my site I got the BAD_CERT_DOMAIN error using Firefox and Chrome.

I also tried to created another certificate using 127.0.0.1:8080 as the common name, but it also didn't work.

What I am doing wrong? Do these browsers always reject certificates with localhost as the CN?

UPDATE

I created a configuration file like this:

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
stateOrProvinceName         = State or Province Name (full name)
localityName               = Locality Name (eg, city)
organizationName           = Organization Name (eg, company)
commonName                 = Common Name (e.g. server FQDN or YOUR name)

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = localhost
DNS.2 = localhost:8080
DNS.3 = localhost:12125
DNS.4 = localhost:12126
DNS.5 = 127.0.0.1:8080
DNS.6 = 127.0.0.1:12125
DNS.7 = 127.0.0.1:12126
DNS.8 = 127.0.0.1
IP.1 = 127.0.0.1

And these are the commands that I am using to generate my certificate:

Sign request: openssl req -out myrequest.csr -newkey rsa:2048 -nodes -keyout mykey.key -config myconfig.conf

When I ran this command, the CN = localhost 127.0.0.1

Signining with my CA: openssl x509 -req -in myrequest.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out mycertificate.crt -days 36500 -sha256

However I am still getting the BAD_CERT_DOMAIN for both Firefox and Google Chrome, even after I tell them to trust my own CA.

Felipe
  • 6,312
  • 11
  • 52
  • 70
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. – jww Dec 17 '17 at 18:13
  • ***`CN=www.example.com`*** is probably wrong. Hostnames always go in the *SAN*. If its present in the *CN*, then it must be present in the *SAN* too (you have to list it twice in this case). For more rules and reasons, see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) You will also need to place the self-signed certificate in the appropriate trust store. – jww Dec 17 '17 at 18:13
  • Hi, I've updated my question with the commands that I am using. I added both the localhost and the 127.0.0.1 IP to the SAN, but it is still not working. – Felipe Dec 17 '17 at 18:56
  • I don't believe you can't put port numbers in the certificate like that. You need something else for the service locations, like Active Directory or BIND v8 or above. DNS servers can provide the service location via *"service location (SRV)"* resource records. – jww Dec 17 '17 at 19:24
  • jww is correct that Subject.CN and SAN entries must not contain colon-port; in addition **`x509 -req` ignores extensions in CSR** as you could have found by simply looking at your cert carefully; that part is dupe https://stackoverflow.com/questions/43690647/requested-extensions-in-csr-not-being-reflected-in-crt . – dave_thompson_085 Dec 17 '17 at 22:04
  • Hi, I've removed the `:port` from the common names and everything worked. Thanks for the help! – Felipe Dec 17 '17 at 23:12
  • Also, having a SAN of the form `DNS.5 = 127.0.0.1` is cause for some software to reject your certificate - I'm pretty sure Firefox is among those. That's what the `IP...` type of SAN is for. – Andrew Henle Dec 18 '17 at 14:54

1 Answers1

2

I have followed @jww's advice and I re-wrote my config file as this:

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
stateOrProvinceName         = State or Province Name (full name)
localityName               = Locality Name (eg, city)
organizationName           = Organization Name (eg, company)
commonName                 = Common Name (e.g. server FQDN or YOUR name)

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = localhost
IP.1 = 127.0.0.1

Then I used this commands to generate my certificate.

Sign request: openssl req -out myrequest.csr -newkey rsa:2048 -nodes -keyout mykey.key -config myconfig.conf

Signining with my CA: openssl x509 -req -in myrequest.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out mycertificate.crt -days 36500 -sha256

So the problem really was that I was adding the port numbers to the IP and DNS addresses of my certificate sign request.

Felipe
  • 6,312
  • 11
  • 52
  • 70
  • I was having a (possibly) similar problem, and found myself tinkering with these config files endlessly. The QA here may be of some benefit: https://stackoverflow.com/a/74802552/2657515 – JonathanDavidArndt Dec 14 '22 at 19:17