You are not logged in.
Hello,
I am trying to trust a self signed across my system, but am having trouble getting the certificate to be trusted everywhere.
So far I have tried:
- Generated a .crt from my certificate and run:
trust anchor --store ./localhost.crt- Generated a .pem from my certificate and run:
cp ./localhost.pem /etc/ca-certificates/trust-source/anchors/trust extract-compatupdate-ca-trustCurrently, only chromium is happy with the certificate.
trust listShows my certificate:
pkcs11:id=...id...;type=cert
type: certificate
label: localhost
trust: anchor
category: other-entry
... more However if I attempt to curl the url:
curl -v https://localhost:8080/
* Trying ::1:8080...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned aboveand
cat /etc/ssl/certs/ca-certificates.crt | grep -i localhostshows it isn't in there.
(I am aware I can pass curl a certificate file, or tell it to ignore TLS errors, but I am only using it for testing. My issue is around multiple applications communicating locally over https.)
Last edited by george_p (2019-12-12 18:20:11)
Offline
[...]my certificate:
pkcs11:id=...id...;type=cert type: certificate label: localhost trust: anchor category: other-entry
See [SOLVED] Can I trust self-signed SSL certificate?.
TL;DR there are self-signed certificates, and then there are CA certificates (with "basicConstraints = CA:true").
--
saint_abroad
Offline
Thank you! Not sure how I missed that post.
If anyone is coming from a search engine:
Don't.
Generate your own certificates and pfx, inputting a password when prompted:
(Lightly adapted from: [SOLVED] Can I trust self-signed SSL certificate?)
#!/usr/bin/env bash
set -eu
org=localhost-ca
domain=localhost
openssl genpkey -algorithm RSA -out ca.key
openssl req -x509 -key ca.key -out ca.crt \
-subj "/CN=$org/O=$org"
openssl genpkey -algorithm RSA -out "$domain".key
openssl req -new -key "$domain".key -out "$domain".csr \
-subj "/CN=$domain/O=$org"
openssl x509 -req -in "$domain".csr -days 365 -out "$domain".crt \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-extfile <(cat <<END
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = DNS:$domain
END
)
openssl pkcs12 -export -out "$domain".pfx -inkey "$domain".key -in "$domain".crtTrust your certificate authority:
sudo trust anchor ca.crt Set your ASPNETCORE environment variables appropriately:
export ASPNETCORE_Kestrel__Certificates__Default__Password="password for pfx"export ASPNETCORE_Kestrel__Certificates__Default__Path="full path to localhost.pfx"Offline
@george_p
Hi, I created ca files with your script. And executed `update-ca-trust`. But `dotnet run` still didn't work.
I try to import the pfx with `dotnet dev-certs https --clean --import localhost.pfx -p <password>`. But it threw `The certificate at 'path/to/localhost.pfx' is not a valid ASP.NET Core HTTPS development certificate.`
Do you know how to make a valid one?
Offline
@george_p
Hi, I created ca files with your script. And executed `update-ca-trust`. But `dotnet run` still didn't work.
I try to import the pfx with `dotnet dev-certs https --clean --import localhost.pfx -p <password>`. But it threw `The certificate at 'path/to/localhost.pfx' is not a valid ASP.NET Core HTTPS development certificate.`
Do you know how to make a valid one?
This worked for me.
#!/usr/bin/bash
# ASP.NET Core HTTPS Certificate Generator
set -euo pipefail
readonly CERT_DIR="$HOME/.aspnet/https"
readonly DOMAIN="localhost"
readonly DAYS=365
command -v openssl >/dev/null || { echo "Error: openssl required"; exit 1; }
command -v trust >/dev/null || { echo "Error: p11-kit required"; exit 1; }
mkdir -p "$CERT_DIR"
# Generate certificates
openssl genrsa -out "$CERT_DIR/ca.key" 2048 2>/dev/null
openssl req -x509 -key "$CERT_DIR/ca.key" -out "$CERT_DIR/ca.crt" -days $DAYS \
-subj "/CN=localhost-ca/O=localhost-ca" 2>/dev/null
openssl genrsa -out "$CERT_DIR/$DOMAIN.key" 2048 2>/dev/null
openssl req -new -key "$CERT_DIR/$DOMAIN.key" -out "$CERT_DIR/$DOMAIN.csr" \
-subj "/CN=$DOMAIN/O=localhost-ca" 2>/dev/null
openssl x509 -req -in "$CERT_DIR/$DOMAIN.csr" -days $DAYS -out "$CERT_DIR/$DOMAIN.crt" \
-CA "$CERT_DIR/ca.crt" -CAkey "$CERT_DIR/ca.key" -CAcreateserial \
-extensions v3_req -extfile <(cat <<EOF
[v3_req]
basicConstraints = CA:FALSE
keyUsage = keyEncipherment, dataEncipherment, digitalSignature
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = DNS:localhost,DNS:*.localhost,IP:127.0.0.1,IP:::1
EOF
) 2>/dev/null
read -s -p "Enter PFX password: " pfx_password
echo
openssl pkcs12 -export -out "$CERT_DIR/$DOMAIN.pfx" \
-inkey "$CERT_DIR/$DOMAIN.key" -in "$CERT_DIR/$DOMAIN.crt" \
-certfile "$CERT_DIR/ca.crt" -name "ASP.NET Core HTTPS development certificate" \
-passout pass:"$pfx_password" 2>/dev/null
sudo trust anchor "$CERT_DIR/ca.crt" 2>/dev/null
rm -f "$CERT_DIR/$DOMAIN.csr" "$CERT_DIR/ca.srl"
echo "Certificate created: $CERT_DIR/$DOMAIN.pfx"
echo "Configure with environment variables:"
echo "export ASPNETCORE_Kestrel__Certificates__Default__Path=\"$CERT_DIR/$DOMAIN.pfx\""
echo "export ASPNETCORE_Kestrel__Certificates__Default__Password=\"$pfx_password\""Offline