Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
B
B
bellerofonte2021-07-23 16:20:49
OpenSSL
bellerofonte, 2021-07-23 16:20:49

How to make chrome trust a certificate?

Good afternoon!
I want to secure websocket traffic between me and my application running on AWS EC2.

I made myself a self-signed certificate according to this instruction :

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 3650 -nodes
# настройки сертификата
Country Name (2 letter code) [AU]:RU
State or Province Name (full name) [Some-State]:Moscow
Locality Name (eg, city) []:Moscow
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Test LLC
Organizational Unit Name (eg, section) []:Test
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:[email protected]


Added it to the Keychain (I have macOS) and forced the system to trust it:
60fabf72181a4452239827.png

Restarted chrome and accessed the application. Chrome still doesn't trust my certificate.
60fac06faf0d6522923302.png
60fac04336bba773168260.png
although if you click on the certificate in chrome, the Keychain will open, in which the certificate is specified as trusted (see Fig. 1).

Tried also the following:
  • specify * when creating a certificate in CN
  • when creating a certificate in the CN, specify the IP address 10.10.1.91
  • when creating a certificate in CN, specify the domain test.local and write in /etc/hosts 10.10.1.91 test.local


Pressing " more - blah blah blah " is not an option, because. all traffic from my app goes over websocket , and trying to connect to wss:// always fails if chrome doesn't accept the certificate as valid.
None of the above helps. How do I get Chrome to trust my certificate if I want to?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
A
Andrey Barbolin, 2021-07-23
@bellerofonte

It is necessary
- to generate a certificate
- to specify the correct CN,
- to add IP and domainname(CN) to hosts
- to add a certificate to a trusted one (macOS - keychain, windows - certmgr.msc)
- go to the site by domainname

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout example.key -out example.crt -subj "/CN=myawsdomain.com" \
  -addext "subjectAltName=DNS:www.myawsdomain.com,DNS:myawsdomain.com,IP:10.11.10.11"

Report
K
ky0, 2021-07-23
@ky0

A certificate may be trusted but not valid because it is given out by the wrong name.
IMHO, now it has become so easy to issue a normal certificate through Let`s Encrypt that only very stubborn people can hemorrhoids with self-signed ones :)

Similar questions
M
macstuff2019-03-07 10:36:51
How to update Openssl to 1.1.2b? 5Reply
S
Scorpic2020-12-01 18:36:19
How to fix different versions of OpenSsl in php? 0Reply
Y
Yuri Popov2014-10-20 23:34:52
How to enable DHE in NodeJS? 1Reply
K
kolu4iy2014-10-24 12:50:35
Where can I get openssl 1.0.1 for centos 5? 1Reply
S
Sergey Savostin2019-03-25 16:43:32
Is there an example of a multi-threaded HTTP client on OpenSSL? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question