I've two website within same domain example app1.test.local and app2.test.lcaol. Below is the procedure using which I've generated the self-signed certificate.
- Create a private key.
openssl genrsa -out tls.key 2048
- Edit
openssl.conffile and updatereq_distinguished_nameandalt_namescontents.
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = IN
countryName_default = IN
stateOrProvinceName = KA
stateOrProvinceName_default = KA
localityName = Test
localityName_default = Test
organizationalUnitName = test
organizationalUnitName_default = test
commonName = *.test.local
commonName_max = 64
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.test.local
- Create certificate signing request
openssl req -new -out tls.csr -key tls.key -config openssl.cnf
- Sign the SSL Certificate.
openssl x509 -req -days 3650 -in tls.csr -signkey tls.key -out tls.crt -extensions v3_req -extfile openssl.cnf
From the view certificate option of browser I can see both SAN and CN has *.test.local as the value. However when I launch application app2 from app1 browser again prompts for trusting the certificate [The certificate is not trusted because it is self-signed.].
Question: How to prevent browser from prompting to Accept the risk and Continue multiple times for the same certificate but from different websites for self-signed certificates.
CodePudding user response:
How to prevent browser from prompting to Accept the risk and Continue multiple times for the same certificate but from different websites for self-signed certificates.
Overriding the warning of a certificate will only affect the currently used domain and not every domain in the certificate. Otherwise somebody could create a certificate for some innocent site but which also includes an SAN of an important site like paypal.com - and later reuse the certificate to impersonate the important site.
To make a certificate trusted for all domains given in the certificate one need to explicitly import the certificate as trusted into the browsers trust store instead of simply ignoring certificate warnings.