Home > other >  SelfSignedCertificate not accepted in MS Edge (Win 10)
SelfSignedCertificate not accepted in MS Edge (Win 10)

Time:03-17

To get Edge to trust the localhost development server, I created a selfsigned certificate following this tutorial. I just replaced all instances of client-1.local by localhost.

So in short, I created a trusted authority by creating a .pem-file with the commands

openssl genrsa -des3 -out rootSSL.key 2048

and then

openssl req -x509 -new -nodes -key rootSSL.key -sha256 -days 1024 -out rootSSL.pem

and imported those into the trusted authorities store in the MMC.

Then I created a private key with

openssl req -new -sha256 -nodes -out localhost.csr -newkey rsa:2048 -keyout localhost.key -subj "/C=AU/ST=NSW/L=Sydney/O=Client One/OU=Dev/CN=localhost/[email protected]"

and a certificate with

openssl x509 -req -in localhost.csr -CA rootSSL.pem -CAkey rootSSL.key -CAcreateserial -out localhost.crt -days 50000 -sha256 -extensions "authorityKeyIdentifier=keyid,issuer\n basicConstraints=CA:FALSE\n keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\n  subjectAltName=DNA:localhost"

The certificate shows up as valid when double clicking on it.

For the exception I need to import the certificate into the browsers. For Firefox I got at first the error

You do not own the private key for the certificate

So I created a PKCS12 file

openssl pkcs12 -export -inkey ./sample.key -in ./sample.crt -out ./sample.p12

and imported that one in Firefox under "My Certificates". That works, I host with ng serve "ssl/localhost.crt" and Firefox with the imported .p12 accepts my localhost. Now for MS Edge it still complains, my certificate is not valid.

I also tried .pfx-merging, but no change. I also read the certificates should not be installed under My Certificates but as Authorities. That sounds wrong to me but I tried it and imported both the .crt and the .p12 into Authorities and Root Authorities, because why not, but no change. I also installed the certificate through the Windows Wizard.

What am I missing for MS Edge? I sadly have no way around it.

===== Update =====

Additional information:

Edge does not give any helpful error. Here is an image of the message. It is in German but all it says is the default text "The connection is not secure. The certificate is invalid. Your credit card information might be stolen." If there is some way to get a more informative message for Edge I would be very happy. In the developer console the message is:

This site does not have a valid SSL certificate! Without SSL, your site's and visitors' data is vulnerable to theft and tampering. Get a valid SSL certificate before releasing your website to the public.

The certificate files and the output of openssl x509 -text localhost.crt can be viewed here (password is pass or password, if necessary) and an image of the .crt here. It is sitting in my development folder, I host the site with

ng serve --ssl true --ssl-cert \"ssl/localhost.crt\" --ssl-key \"ssl/localhost.key\"

and access the server locally through localhost:3000.

I imported the .p12 file into edge through manage certificates -> My Certificates -> Import. The result looks like this.

CodePudding user response:

What am I missing for MS Edge? I

The certificate does not contain any subject alternative names, which makes it invalid for Edge and Chrome. There is an attempt to specify these information, but the attempt is wrong.

I created a selfsigned certificate following this tutorial.

Looks like this tutorial is broken.

openssl x509 -req ... -extensions "authorityKeyIdentifier ... subjectAltName=DNA:localhost"

The -extension command line option is used to give the name of an extension section in a configuration file and not the extensions itself. Additionally the subjectAltName should be DNS:... not DNA:....

To fix create an extension file my.ext which includes the extensions you want to use:

[myext]
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName=DNS:localhost

Then use this file as extension file with -extfile my.ext and specify the extension to use with -extensions myext:

openssl x509 -req ... -extfile my.ext -extensions myext

  • Related