Chrome NET :: ERR_CERT_AUTHORITY_INVALID在LocalHost自签名证书上的错误

我修正了我在this之后的完全相同的问题。

问题似乎是证书的创建方式。

下面的代码是来自上述的网站。

#!/usr/bin/env bash 
mkdir ~/ssl/ 
openssl genrsa -des3 -out ~/ssl/rootCA.key 2048 
openssl req -x509 -new -nodes -key ~/ssl/rootCA.key -sha256 -days 1024 -out ~/ssl/rootCA.pem 


#!/usr/bin/env bash 
sudo openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <(cat server.csr.cnf) 

sudo openssl x509 -req -in server.csr -CA ~/ssl/rootCA.pem -CAkey ~/ssl/rootCA.key -CAcreateserial -out server.crt -days 500 -sha256 -extfile v3.ext 

server.csr.cnf文件

[req] 
default_bits = 2048 
prompt = no 
default_md = sha256 
distinguished_name = dn 

[dn] 
C=US 
ST=New York 
L=Rochester 
O=End Point 
OU=Testing Domain 
[email protected]omain.com 
CN = localhost 

v3.ext文件

authorityKeyIdentifier=keyid,issuer 
basicConstraints=CA:FALSE 
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment 
subjectAltName = @alt_names 

[alt_names] 
DNS.1 = localhost 

有一个伟大的图形用户界面基于Java的工具，我使用的创建和处理所有的事情PKI称为KeyStore Explorer。因此，比所有的命令行选项更容易：

http://keystore-explorer.org/

下面是使用密钥库资源管理器工具我的指示。

的两件事情，当我创建的证书我以前缺少的是：

• AKID（权威密钥识别） - 选择相同的“CN =”在创建时使用。
• 添加在“基本约束”选项（不要选择“是CA”）

没有那些两件事情的Chrome甚至会发出警告/错误时，你已经安装了自签名证书到您的MS -CAPI PKI信任存储（为“受信任的根机构）。

下面是我使用的步骤。

Instructions using KSE (KeyStore Explorer) 
Create a JKS 
Creating a self-signed certificate 
Open KeyStore Explorer 
File | New | JKS | OK 
Create a Password for your JKS file 
File | Save as... | enter your password 
Enter file name | OK 
Tools | Generate Key Pair 
Select Algorithm and Key Size (i.e. 2048) | OK 
Select validity period (i.e. 5 years) 
Select Name (Book icon) | Enter in Name fields | OK 
I.e. “CN=localhost…<or SERVER_NAME>” 
Add Extensions (Very Important), this determines what type of certificate it will be and how it can be used. This example will be for a standard server certificate with SSL. 
Add in the Key Usage item 
Add in the Digital Signature and Key Encipherment options checkbox 
Add in the EKU (Extended Key Usage) options 
Select both of these options: 
TLS Web Client Authentication 
TLS Web Server Authentication 
Add in the SANs (Subject Alternative Name) 
Add in all the needed DNS names and IP Addresses (if applicable) for which this server will be used. (repeat for all desired values) (e.g. 127.0.0.1 and localhost (or <SERVER_NAME>) 
It will look something like this when it's done 
When it's done you will see all the fields with the OIDs (Object Identifiers) listed | OK | OK 
Add in the AKID (Authority Key Identifier) 
Add Extensions "+" 
Add Extension Type | Authority Key Identifier 
Select the Authority Cert Issuer of the CN that you created above (.e.g "CN=localhost...") | OK 
Add in a "Basic Constraints" (do NOT check "Subject is a CA") 
When you're done you'll see these listed: hit "OK" 
Note: the Basic Constraints and AKID (Authority Key Identifer) are needed for the Chrome Browser to validate the self-signed certificate as a trusted certificate. 
Otherwise you'll see warning or error messages even after you have add this certificate, explicitly, to your MS-CAPI Trusted Root certificates. 
Enter in the Alias of the keypair name you want to use 
Enter in the private keypair password 
*Note: this password MUST be the same as the JKS file keystore password or Java may fail silently when trying to use this certificate. 
You should see a message indicating success. | OK 
Then, save the File | Save