56

I want to test my web app on https localhost. Unfortunately it seems impossible to remove certificate warning from chrome. First, I generated the certificate like this:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/localhost-selfsigned.key -out /etc/ssl/certs/localhost-selfsigned.crt

Then I wanted to add it to Chrome, settings > advanced > manage certificates -> import. I try to import the .crt file generated before and all I get is this:

Certificate import error: The Private Key for this Client Certificate is missing or invalid.

I googled it, but I found nothing helpful.

I have also tried to enable allow-insecure-localhost flag and open chrome with --ignore-certificate-errors but it still shows the warning and broken https

Are there any other ways or am I doing something wrong with the certificate?

slhck
  • 223,558
  • 70
  • 607
  • 592
Maciej Krawczyk
  • 673
  • 1
  • 6
  • 9
  • Did you also import the `/etc/ssl/private/localhost-selfsigned.key` file? That is the private key. – Zoredache May 26 '17 at 21:26
  • 2
    The browser needs the public key, not the private key. – Arjan May 26 '17 at 21:36
  • 2
    Usually you'd create a self-signed *server* certificate and install it in the HTTP server software you're serving your web app from. Client-side (user) certificates installed in web browsers *can* be used to authenticate users when the log onto web apps, but it's pretty rare. Most sites/apps use username/password authentication, not user/client certificates. – Spiff May 26 '17 at 22:37
  • Can you use this certificate to serve content through https and look how it looks like when exported from the browser? should be the same content. – cghislai Jun 29 '17 at 20:25
  • 1
    Also, maybe you are importing from the wrong tab. try to switch to the server tab before clicking the import button – cghislai Jun 29 '17 at 20:26

3 Answers3

77

I think what you may be trying to do is add it to the wrong certificate store. If you're attempting to add it under "Your Certificates", you're gonna have a bad time. That tab is for adding identity certificates; what your browser offers to the server to establish the browser's identity.

What I think you want to do do, based on your description, is you want your browser to trust the self-signed cert that will be on your server end. If that's the case, you need to add it in your "Authorities" tab.

Erik
  • 1,426
  • 10
  • 7
  • 1
    Did not work for me – Alexandre Bourlier Dec 29 '17 at 19:17
  • 5
    this works as of Chrome v64. You import the .crt under the "Authorities" tab as @Erik pointed out. Note: FireFox doesn't give you this hassle – lasec0203 Feb 10 '18 at 04:06
  • 2
    Authorities tab is for CA certificates. Non-CA certificates are supposed to be on Servers tab. Although you [can't](https://bbs.archlinux.org/viewtopic.php?pid=1776753#p1776753), for instance, manually add non-CA certificate there in Chromium 65.0.3325.162. – x-yuri Mar 29 '18 at 09:23
  • 2
    Importing via "Authorities" tab solved my prob. – Kerem Jun 21 '19 at 14:04
  • FireFox gave me the same hustle and nothing works but okay. – Zap Sep 27 '19 at 13:17
  • Importing it in Authorities gave "Private key missing", in Authorities worked but did not solve the problem, in Servers the cert didn't appear. – Snowcrash Mar 10 '20 at 14:20
  • That doesn't make sense. It's highly unlikely that anyone would ever have the private key of an Certificate Authority certificate. I can't imagine why you would be told that if you were entering it in the correct location. – Erik Mar 12 '20 at 20:27
  • 4
    where is the 'authorities' tab in chrome? can't see any way to import certificates or .pem. Thanks, – v3nt Jun 17 '20 at 10:40
  • 1
    Find the Authorities tab in the "Manage Certificates" pane. Settings -> Privacy and security -> Expand the "More" -> Manage certificates – Erik Jun 17 '20 at 18:27
  • 1
    Still valid answer as of Chromium v85 in October 2020 – qwertz Oct 12 '20 at 14:09
  • This should be marked as the correct answer. It worked for me. Thanks – Ivan Vilanculo Jul 26 '21 at 11:18
  • Excellent answer. Remember to restart the browser (I had to do so with Brave 1.32). I feel pretty sheepish that I was banging my head against the wall until I found your answer. – fbicknel Nov 21 '21 at 14:34
5

What worked for me was

  • setting up a CA
  • signing my own certificate using this CA and then
  • importing the CA key into Chrome (Authorities).

I got the procedure from this answer on SO.

Since my specific issue was for catering for multilevel subdomains, I'll look at it from that angle.

subdomains:

  • bar.fooz.mydomain.com
  • foo.fooz.mydomain.com
  1. Become a Certificate Authority
export CA=myca
# you probably want to have this in its own directory
mdkir /etc/ssl/$CA && cd /etc/ssl/$CA

# generate private key
openssl genrsa -des3 -out $CA.key 2048

# generate root certificate
openssl req -x509 -new -nodes -key $CA.key -sha256 -days 825 -out $CA.pem
  1. Create CA-signed certificates
export NAME=fooz.mydomain.com
# if CA files were in a separate directory
cd .. && mkdir /etc/ssl/$NAME && cd /etc/ssl/$NAME

# generate private key
openssl genrsa -out $NAME.key 2048

# Create a certificate-signing request
# Once prompted, set FQDN to the value of $NAME
openssl req -new -key $NAME.key -out $NAME.csr

# Create a config file for the extensions
>$NAME.ext cat <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $NAME # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
# Optionally, add additional domains (I've added a subdomain here)
DNS.2 = foo.$NAME
DNS.3 = bar.$NAME
IP.1 = 192.168.0.13 # (Optional, but probably important), add an IP address (if the connection which you have planned requires it)
EOF

# Create the signed certificate
openssl x509 -req -in $NAME.csr -CA $CA.pem -CAkey $CA.key -CAcreateserial -out $NAME.crt -days 825 -sha256 -extfile $NAME.ext
  1. Download the $CA.pem file and import as an Authority in your browser:
    1. Chrome settings (Settings > Privacy and Security > Security > Manage certificates > Authorities > Import). Check Trust this certificate for identifying websites
    2. Firefox: Preferences > Privacy and Security > Certificates > View Certificates > Authorities > import. Check Trust this CA to identify websites
  1. Restart your browser (Firefox worked without the need for a restart)
omushpapa
  • 151
  • 1
  • 4
  • Welcome (out) to SuperUser. There is no need to copy and paste, but perhaps to better explain yes. For the same reason that it doesn't deserve to be closed as a duplicate (it's on another site), it also deserves a full response (with commands). Your answer is basically the copy and paste of the link prologue you posted...just a little more effort to get a more nice/useful answer. HNY. – Hastur Jan 05 '21 at 08:54
  • 1
    noted... updating in a few – omushpapa Jan 05 '21 at 12:03
  • Great answer! Worked like a charm. – Nathan B Sep 12 '21 at 13:34
3

Chrome expects a file in PKCS12 format file which is used to store the certificate, any intermediate certificate and the private key into single encryptable file. these files usually have the .p12 and .pfx extensions.

To generate one use the below command

openssl pkcs12 -export -inkey ./sample.key -in ./sample.crt -out ./sample.p12

This command will ask for a password which we need to remember and use it while importing the generated p12 file into chrome.

Prateek Jain
  • 131
  • 3
  • I get error `Unknown algorithm pkcs12` for this command `sudo openssl req -x509 -nodes -days 18250 -newkey pkcs12 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt` – Fakhamatia Jul 13 '21 at 11:55