1

I have really been struggling to set up HTTPS using a self signed certificate for my localhost project that is being run/configured from the Maven Jetty plugin... I have been able to get it working for safari but Google Chrome rejects it even though it says my Cert is valid

This is the error I get from Chrome: NET::ERR_CERT_REVOKED

I got my steps from the following post: https://stackoverflow.com/a/60516812/11725563

Also I am on macOS Catalina and Chrome version 80+ . Also I am making my CN name localhost and any time it asks me country city etc I just put the same stuff every time.

Here is my exact process taken from the post linked above

######################
# Become a Certificate Authority
######################

# Generate private key
openssl genrsa -des3 -out myCA.key 2048
# Generate root certificate
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem

# Create CA-signed certs
######################

# Generate private key
$[[ -e localhost.key ]] || openssl genrsa -out localhost.key 2048
# Create certificate-signing request
$[[ -e localhost.csr ]] || openssl req -new -key localhost.key -out localhost.csr
# Create a config file for the extensions
$>localhost.ext cat <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
extendedKeyUsage=serverAuth,clientAuth
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $NAME
DNS.2 = bar.$NAME
EOF

Create the signed certificate

$openssl x509 -req -in localhost.csr -CA myCA.pem -CAkey myCA.key \
  -CAcreateserial -out localhost.crt -days 1825 -sha256 \
  -extfile localhost.ext

I then add myCA.pem to my System keychain and go to the detail and Always Trust all options.

I then run the following commands to generate a keystore to put into my jetty folder

$ openssl pkcs12 -inkey localhost.key -in localhost.crt -export \
    -out localhost.pkcs12
$ keytool -importkeystore -srckeystore localhost.pkcs12 \
    -srcstoretype PKCS12 -destkeystore keystore

I then take the keystore file and move it to the src/test/resources path in my Eclipse project. But as I said it results in the above error when run in chrome. What am I doing wrong

Joakim Erdfelt
  • 46,896
  • 7
  • 86
  • 136
trojanv1rus
  • 11
  • 2
  • Welcome to Stackoverflow. I wouldn't make your certificate age longer then 397 days (The CA/Browser Forum is trying to get the maximum age to 1 year, Safari will enforce it later this year, and Chrome is on track to enforce that maximum too) - Note: 397 is 1 year + grace period. – Joakim Erdfelt Apr 20 '20 at 14:31
  • @JoakimErdfelt Thank you for the warm welcome, I changed the validity date and that fixed it! Thank you so much for this. – trojanv1rus Apr 21 '20 at 02:48

0 Answers0