Home > database >  How to make browser accept a ssl certificate with a full certificate chain?
How to make browser accept a ssl certificate with a full certificate chain?

Time:12-20

I like to create my own PKI with a root CA and a intermediate CA finally signing a server certificate. For creation of the certificates I used openssl and got these:

cert.pem

-----BEGIN CERTIFICATE-----
MIIFiTCCA3ECAQIwDQYJKoZIhvcNAQENBQAwgY8xCzAJBgNVBAYTAkRFMRYwFAYD
VQQIDA1OaWVkZXJzYWNoc2VuMRMwEQYDVQQHDApPc25hYnJ1ZWNrMRcwFQYDVQQK
DA5NeUNvbXBhbnkgR21iSDEbMBkGA1UECwwSR2VzY2hhZWZ0c2Z1ZWhydW5nMR0w
GwYDVQQDDBRNeUNvbXBhbnkgcHJpbWFyeSBDQTAeFw0yMjEyMTQwODI1MTdaFw0y
MzEyMTQwODI1MTdaMIGEMQswCQYDVQQGEwJERTEWMBQGA1UECAwNTmllZGVyc2Fj
aHNlbjETMBEGA1UEBwwKT3NuYWJydWVjazEXMBUGA1UECgwOTXlDb21wYW55IEdt
YkgxGzAZBgNVBAsMEkdlc2NoYWVmdHNmdWVocnVuZzESMBAGA1UEAwwJbG9jYWxo
b3N0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA51Lmf2dg3YG7wPdH
lhamw49sHkdf5R/LU0bF7MExwCjhQ010Fk4kwsTPVgNv3nc4TS2l2pVIIldoUdY9
2SNO4QWA3CyrvRF34aKJMnIMGTKelm8scwnZEU09jYUQ9ZkZYkNkvkEsAJ/L45SC
arW0lHEheAzC9vQSF6y4SBvQmUzUShEfvrN6FLRkCOYYbAQmULI/PsYzTWLyHTJq
A5meTEWFHSbGldUtTqdC7h/RywEL1ylTrgn15M6Pc1WtGI FkLJGse9UKtwU9Gpx
k35QFnNMMms4Ksq0ESHLi/33zRL6A8 IIrrfLnCQwRsAAmY/ZOxi7RwL4W71rMSW
8SCV4hcjNt2I8cFHZZ3Oe0 R9yGfkYNo6nq5XgDdpz0wtQp2oydeEF8wsJxHe1z8
d6HMeKIWpVuCAgol68Ck lCF6mrMSpSg/ZdnxCfEkWXYZ6Z9ygW3hjgylOxLQWG8
ePXEYLBlaGGHqE8PFJ7zGf3hUZnTxfPIJdql6Kd8BCX1OA7AHihurmgQ1CdRuMyY
eYfLGyu4OgJ lAKbzfPFaAQS7DtBtrxiaf5VM1odwkjCvGX9lMTdCH2g4eBwmzKL
LJ/p 2X38m7IcTBxSBCK83eBpp7Yn57tMKpQBnRwjNP7l4BVEdvUq571QVrW4In1
JiD7Mf5Rt2RZ1Hm9Vz8iiy6 Cv0CAwEAATANBgkqhkiG9w0BAQ0FAAOCAgEAp0U4
7UBqDDAGtZKRL9z5l7U79YqnOUdoSz4JWjaQSBMjH5TOIKvBIqYAEFP4lN8tzU3/
WcObW5zJRXibtSnKCOb4wm/7BJsli rZBdf4Ji2sDwRM4nHBn/DF5v74/Wp5sy04
hg9d lxcPCzK0IW4E4Rrq56FkJtLLMvMMQNtP4Hccgh8yjqEjLcee6fqQW7bRs90
xkvQRSzONEAJua vwToNW0D7WOTJi2SBh7A7SuhDe/6lQPsHiyVyZ3 pA66O3I 2
/Eeh97K6XYRJvjeBnf9UVlfDZDTjXZsn9wvR5A4vUVJClY0MaZsi8w IFLkBZILG
ys4wkv nWEua6Gx/kd/9zVIeW5LcQ7CQPJrgtP8EhoOkrGxoDKq1eSw8jefCzCsi
CWIz5SMB/8tmhg8Ivl/g15vgn1jg4mS86rbKMtDR7bsgp6DA1IslszF7PMvYaps8
T84bLkDYkg8cvPxfOWGNpsZTFCkY23oODNv nSe/MJXIpwcaFRKZiwn80xs6Z3np
m3b6TYV1WUKXaVtyH d5ALSfqLac8hz9JenHQirk1m9Gm Wyi2pMxbAJWpJwSOgy
CIkpy/D7YXlR2e FOTKrJ82CcqVGkLsXf95F4xj32m7j5oBNw0X1itFAjDG1HvAs
vmcviRRtco/in46rJSsOB/oj7EbXkTK29Giipls=
-----END CERTIFICATE-----

ca_cert.pem:

-----BEGIN CERTIFICATE-----
MIIGmDCCBICgAwIBAgIBATANBgkqhkiG9w0BAQ0FADCBjDELMAkGA1UEBhMCREUx
FjAUBgNVBAgMDU5pZWRlcnNhY2hzZW4xEzARBgNVBAcMCk9zbmFicnVlY2sxFzAV
BgNVBAoMDk15Q29tcGFueSBHbWJIMRswGQYDVQQLDBJHZXNjaGFlZnRzZnVlaHJ1
bmcxGjAYBgNVBAMMEU15Q29tcGFueSByb290IENBMB4XDTIyMTIxNDA4MjUxNloX
DTMyMTIxMTA4MjUxNlowgY8xCzAJBgNVBAYTAkRFMRYwFAYDVQQIDA1OaWVkZXJz
YWNoc2VuMRMwEQYDVQQHDApPc25hYnJ1ZWNrMRcwFQYDVQQKDA5NeUNvbXBhbnkg
R21iSDEbMBkGA1UECwwSR2VzY2hhZWZ0c2Z1ZWhydW5nMR0wGwYDVQQDDBRNeUNv
bXBhbnkgcHJpbWFyeSBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
AMaZ356OnP3mYUlqHXwgV3hQcvyKKNbgrSCErrVC0hAZXoQlC3PyreT/jTTUvyLT
P/YxLvOImwQgN8bqfQTVLkPoZBpikvqwfP8UJEbDzEfD/9iGyeUfJDH1ytP33WGD
Cvd0T0KZgImxtziF6VPrbxzOTWYIDwFlEYnxsEcdYrB77B0TKcPH255mVyuhMEbd
dinRi2mXTjA4C20Ae4YtxRRziC2CjWTQmuZqa2qBNCUpm2q7PdPxSr7yRKq52r0r
D/Rq1k43KhGV9sCz1cmEnD5/KtZUWUY7JDv9NahAiOPVTDSmXXpwtYU7TiI0gfhb
Te41TL8TZiZkyz5oNFXMIgAPb IlG46ffLHkNQlob9uL3QG6/PnxBUSnGiASvw1l
gurflkp48bwTb8XMX2KG y7y82sZLlWx1N  p3FyeinrmFjvcIxjhW P3AT6i7i0
QV bdbRpJ2UMKdStdIwP37EIhfIA/0CNPtl4c66x5RpBaClAUJCbXnCPc94SB/GH
 j94F/RgMB/ n7L/NDUYZwy84BUqI 29roguN3WkU6xBJJmYzv6339N1asfGNbaW
5bz51CzyYQhq7BHAqjmfo2qQOt9aIdrDQhsFJVvJAoWFZNys11mBCOdBWSmuu3vV
9H1YSn7KWyLu3i 3dIJXfkxFAvBoOCwiQa3vTO1ZSC1nAgMBAAGjgf8wgfwwHQYD
VR0OBBYEFAy3QEgvo22iwIDuQ7C6aZ922mtYMIHMBgNVHSMEgcQwgcGAFJ7NjP0k
A071H/miNgOkF235LgRIoYGSpIGPMIGMMQswCQYDVQQGEwJERTEWMBQGA1UECAwN
TmllZGVyc2FjaHNlbjETMBEGA1UEBwwKT3NuYWJydWVjazEXMBUGA1UECgwOTXlD
b21wYW55IEdtYkgxGzAZBgNVBAsMEkdlc2NoYWVmdHNmdWVocnVuZzEaMBgGA1UE
AwwRTXlDb21wYW55IHJvb3QgQ0GCFAjxs BJ1bFsbn9vzfcGrplFWxLIMAwGA1Ud
EwQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAEXDpvo66yHUNnMlob3lio/e2bto
IgCBBAACz26eR3z3HwzDXORn31HMSao6eC76Y9u/qb5RcaKx8UJKCd4orvfIN2pq
W/yyjmzAfr3Ing M9BOux3rodzKIQMYpioPVbpWdat7RG15RRwgTbck/hnerjx28
37Uu VNi7UtfSw/LKyIEA6e43iRb5QATg9OlS7xvgozgB80OgS4h4dgRAuNqP0lF
4B7oOR316jg4JFIn9ILcFA/qtDiBNggyqhv3hitrSBiJ54LXZBoyeSUjLpLX5h6C
 YchnND4Ky/eQrZt8LU8YtNr9ZsRIi29iZeZzC/xATEY3RfiVH0q51NKTY/VFpZ3
qtS7cpGcAmlYdpdVuXuiAxOtzYbx2QsjRxsm/dP /qj6tlM93E3y0C lsmyji3bW
OQtqdPzvYylaPP 9adc3mxlqucFRvTS3zpfxt7Z3MPTxuMbVIEzo5njWbZHLLnB7
KXevG0qcn9HixpSHOZ14u2nTd3Z4ql1qnUkguYBRhdN9XnKZECXY9sJJ071pjTmQ
bGlLNb1IlUYcAdO5SwlBNweZlBnVBlZIBB3t50Zq d7srD4Rm8dItMs5XqpDQthR
/zsjzpzRTzA/sZPgUFoxBTRnwcVVUQ7dm/AmNXuXh2NJ09TnxVhMzZBgD55ieuVT
mvM7KSlwmrBnLZaP
-----END CERTIFICATE-----

root_cert.pem

-----BEGIN CERTIFICATE-----
MIIGqDCCBJCgAwIBAgIUCPGz4EnVsWxuf2/N9waumUVbEsgwDQYJKoZIhvcNAQEN
BQAwgYwxCzAJBgNVBAYTAkRFMRYwFAYDVQQIDA1OaWVkZXJzYWNoc2VuMRMwEQYD
VQQHDApPc25hYnJ1ZWNrMRcwFQYDVQQKDA5NeUNvbXBhbnkgR21iSDEbMBkGA1UE
CwwSR2VzY2hhZWZ0c2Z1ZWhydW5nMRowGAYDVQQDDBFNeUNvbXBhbnkgcm9vdCBD
QTAeFw0yMjEyMTQwODI1MTJaFw0zMjEyMTEwODI1MTJaMIGMMQswCQYDVQQGEwJE
RTEWMBQGA1UECAwNTmllZGVyc2FjaHNlbjETMBEGA1UEBwwKT3NuYWJydWVjazEX
MBUGA1UECgwOTXlDb21wYW55IEdtYkgxGzAZBgNVBAsMEkdlc2NoYWVmdHNmdWVo
cnVuZzEaMBgGA1UEAwwRTXlDb21wYW55IHJvb3QgQ0EwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQDCIDeydrMZTO36BEkB5QmM1VcqbTTUE6OjTctNTefr
xFgBHD9JQ0ES3EkZ/U cZlADRH8RW6Sb7TlenJjwEmiTp5ZtUISDONFuRDV31Icz
P4TH3lNX60IFFsjTeFAWi/8GywB3LOY932df2lLTyKoQCPU7NXFCF9Mop6g/9ess
hPNFt2zSDzjPi8/PJ4foWDB9ByuyMioO0JxAewFp6lvKZAgKzfEpo3sZotpzt hA
Aoj2FFLOLarRDVMG ltv1IKehpbJK/arH4J56xI6B5v9 MHgyMDn7lVrQmC26VMp
TFUjJWnuc3sXBaV0q0ri n YSGNeM21U9D2xnzEQ0m9YQOewc10GqMpKkySWB4dB
HQHaoWhEM8ySX3pTGAT63dnhD9cW1ec90VgvsgMOxeduUFhByAO6xIaOS8UCnfWd
rR2H/daPUBqhbr3D7iSJH1XX/XGLwgxRJ/m54kmmhADI689Bcf3crkQtI7oCSn6W
eNx8K883JKXGC5vHXcHm6KYyo8XZUB9s8z/UC80Vl6ajvBv olvJVwTxwzzyhuYg
CiisVe2yzF71TiHzu87o6mTXALXiiQY7yu9lzxUdTc8eVTZoqFrwxcamN3XOf2cC
8uS7v0xY5b4ounlnPlhVMSGcx7zY8rs/eVNUosf ZbYQfOCzJnr Eg60F2Bod4iv
8wIDAQABo4H/MIH8MB0GA1UdDgQWBBSezYz9JANO9R/5ojYDpBdt S4ESDCBzAYD
VR0jBIHEMIHBgBSezYz9JANO9R/5ojYDpBdt S4ESKGBkqSBjzCBjDELMAkGA1UE
BhMCREUxFjAUBgNVBAgMDU5pZWRlcnNhY2hzZW4xEzARBgNVBAcMCk9zbmFicnVl
Y2sxFzAVBgNVBAoMDk15Q29tcGFueSBHbWJIMRswGQYDVQQLDBJHZXNjaGFlZnRz
ZnVlaHJ1bmcxGjAYBgNVBAMMEU15Q29tcGFueSByb290IENBghQI8bPgSdWxbG5/
b833Bq6ZRVsSyDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQB7/ExU
tNS iRCvlwXTMCGAMHR5/6vs 4YWlCp9u2FjxLZBQHl7gwMYC/Dszv/AX23WVv7Q
mxIbKSAJUs3eNdoRUaQnUZluPsc7bbA8 9LS3buMm/jvJ1maiXTL32HFQki DJs 
GC1RXUbnlmpZiMePA2lZkB8sHZLmlrNmQe9O6wY38Kvx0XtQRXOq7uhwBN5IJeXl
PIfYpDFvADi4s1EOkftvuE7hmKq2UtUiOgpThAK027uOBIouwoOoc/qsGDnx5X7x
xtyNwS2zk2i3ppmX0R2fN1r8HzEPdi/X6gxQI9AEdVo/1O42wixSy9 HdxCN0/QV
KKnaTBKvvjbRXdaA61rRc8zLdfh2pj DWcgZ9SCdQeR7DxOjK/hiyByfJmT WbXM
8 2IJ3CwENcYUsme7vgIRBtOIvTDUkppzq3XN3vZKQc8xDwbA5VtVvxgxVCxOedY
U9z7oA2lmzyoAFDn4Sz3/hfSQEJ3OcwvIUZK/pIPKvQKpEgZkcRFNZ6DWR0dp6Oh
m2YMfscYBANmJFlk0uCwHtb39r0ZYCmlXVurHi2swWmhzD2jr54YjXK g6FN5Z7P
AVhKrXtTFKoP4gdeKaSqtu/7A Hwl6pl4hp4gKXnfh4hc2s7ZVRmYQNh9joyAFs8
9E oe/qRrYE78PF9ndCXVkWvzFMJ9iKGhrwAhg==
-----END CERTIFICATE-----

Verifing these via openssl results in

.\openssl.exe verify -show_chain -CAfile root_cert.pem -untrusted ca_cert.pem cert.pem
cert.pem: OK
Chain:
depth=0: C = DE, ST = Niedersachsen, L = Osnabrueck, O = MyCompany GmbH, OU = Geschaeftsfuehrung, CN = localhost (untrusted)
depth=1: C = DE, ST = Niedersachsen, L = Osnabrueck, O = MyCompany GmbH, OU = Geschaeftsfuehrung, CN = MyCompany primary CA (untrusted)
depth=2: C = DE, ST = Niedersachsen, L = Osnabrueck, O = MyCompany GmbH, OU = Geschaeftsfuehrung, CN = MyCompany root CA

I also created a chain.pem file by concatinate all certs into it in the same order as listed above.

Now, I give the chain.pem to my Webserver as cert-file. I also added the root_cert.pem to my Operating System as trusted with this command.

PS> Import-Certificate -FilePath ./root_cert.pem -CertStoreLocation Cert:\LocalMachine\Root

Now opening the browser I got errors

  • Chrome says NET::ERR_CERT_COMMON_NAME_INVALID
  • FireFox says SEC_ERROR_UNKNOWN_ISSUER

If I click on show certificate, both browsers list the certificates above.

Unfortunately the browsers dont tell me the exact issues they have or give a hint how to solve them.

May I ask for help regarding my specific problem and also for a nice reference for what exactly is required to make a browser trust a server certificate created with a chain by yourself, so other people who encounter similar problems may find help? Thanks!

Remark: I only want to add the root_cert.pem as trusted to the operating system, and not any intermediate certificate.

CodePudding user response:

In 2017 there was a change in how browsers check certificates for validity. Instead of using the common name (cn), they now use the subjectAltName. see also: heise

The subjectAltName is a extenstion to a certificate and needs to be added to it, continaing the DNS or IP of the host.

Hence it is an extension, it is not part of the subject standard of openssl. See here how to set the subjectAltName for openssl.

On top of that openssl has a known bug, that will prevent the transfer of the subjectAltName-extension on signing a request. You need to set it manually via a config file. CLI also not supported here. Find the solution here


FireFox send the mentioned error because it do not link to the operating system for Root-CA, you need to add it separately to FireFox.


Finally, if you encounter any problems of validity of your created certificate:

  • Use FireFox to check your https conncection, hence FireFox provide more detailed Error messages thon other browsers.
    • dont forget to add your Root-CA to its dedicated cert-store.
  • Check Security & Signing Algorithms. They have to be up to date for all certificates!
  • Check for a correct subjectAltName to be present and valid (exactly the same value as in the reqeust URL).
  • Make sure your webserver sends not only its certificate, but the whole chain. Else there will be unknown issuer error, if you use a intermediate CA. See here
  • Related