Local SSL Certificates in Chrom(e/ium) 63

I have asked a similar question here before. But the solution provided has stopped working. I am trying to get ssl certificates for local hosts. I do not need them to be official, they only need to work on my local machine.

I develop websites and all my local copies of are in the form domain.local.

I have already discovered that Chrome is not going to allow a *.local certificate.

Until I upgraded to chromium 63, the following process was working fine:

conf/caconfig.cnf

#..................................
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /home/*****/Sites/root-ca
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/certs
certificate = $dir/certs/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 3000
default_md = sha256
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
copy_extensions = copyall
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = *****
localityName_default = *****
stateOrProvinceName_default = *****
countryName_default = *****
emailAddress_default = *****
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
subjectAltName       = @alternate_names
[ v3_req ]
subjectKeyIdentifier = hash
basicConstraints     = CA:FALSE
keyUsage             = digitalSignature, keyEncipherment
subjectAltName       = @alternate_names
nsComment            = "OpenSSL Generated Certificate"

[ alternate_names ]

DNS.1       = site1.local
DNS.2       = site2.local
DNS.3       = site3.local
DNS.4       = site4.local

Create certificate authority

openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out certs/cacert.pem -days 3000 -config conf/caconfig.cnf

When prompted

Common Name (hostname, IP, or your name) []:Jonathan Hodgson

Create Request

openssl req -extensions v3_req -new -nodes -out local.req.pem -keyout private/local.key.pem -config conf/caconfig.cnf

When Prompted

Common Name (hostname, IP, or your name) []:*.local

Sign Request

openssl ca -out certs/local.cert.pem  -config conf/caconfig.cnf -infiles local.req.pem

Relevant Part of Apache Config

<VirtualHost *:443>
    ServerName test.local
    ServerAlias *.local
    VirtualDocumentRoot /home/jonathan/Sites/%-2/public_html
    CustomLog /home/jonathan/Sites/access.log vhost_combined
    ErrorLog /home/jonathan/Sites/error.log
    SSLEngine On
    SSLCertificateFile /home/jonathan/Sites/root-ca/certs/local.cert.pem
    SSLCertificateKeyFile /home/jonathan/Sites/root-ca/private/local.key.pem
</VirtualHost>

I then import the certs/cacert.pem file into the browsers certificate manager as an authority.

This works fine in Chrome 61 and Firefox 55 but doesn’t work in Chromium 63. Although I can’t confirm it, I am also confident that it worked in Chromium 62 meaning it is something that has changed in Chromium 63.

Chromium 63 SSL Problem

Interestingly, the security panel of dev-tools seems to imply that the certificate is ok:

Chrome Dev Tools Security panel

Edit:
As Requested by @garethTheRed

$ openssl x509 -noout -text -in certs/local.cert.pem
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = Jonathan Hodgson Ltd, emailAddress = ########, L = #########, ST = #######, C = GB, CN = Jonathan Hodgson
        Validity
            Not Before: Sep 21 10:18:36 2017 GMT
            Not After : Dec  8 10:18:36 2025 GMT
        Subject: C = GB, ST = #######, O = Jonathan Hodgson Ltd, CN = *.local
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e8:2c:e0:9e:e2:3e:6b:d6:2d:37:ab:a3:92:96:
                    46:ee:7e:77:6c:4b:04:6b:7e:ba:5c:a5:d6:4b:03:
                    a2:6a:54:12:c9:ff:2a:dc:12:8b:ee:f6:16:7b:28:
                    f8:78:ec:df:7b:29:09:b9:01:56:d3:08:b7:5a:46:
                    fe:1f:70:13:63:47:3c:f6:fe:f1:f4:0e:16:b8:5d:
                    8e:72:fa:c8:c3:07:eb:9c:61:66:63:52:19:47:66:
                    ef:bb:99:f7:cb:21:c6:b8:f3:84:c2:65:49:d9:b5:
                    fb:1d:75:dd:8a:79:b1:f8:02:e1:59:ae:ce:b8:7a:
                    1b:54:7b:58:58:cb:f8:ab:bf:7f:97:b3:0c:8f:c2:
                    b0:ee:ee:24:5b:7a:9d:b0:9a:ed:c7:56:52:72:f1:
                    ac:d2:f5:06:3a:5e:07:f6:f0:12:70:bc:4d:4b:bb:
                    99:b7:81:b7:e8:58:f1:a1:4a:2e:41:ee:1b:a4:9e:
                    e0:a7:0b:51:d5:94:5d:54:36:83:bd:38:9d:1d:4d:
                    e2:d8:4d:b0:b1:df:2b:42:1d:71:46:94:77:4a:c3:
                    19:1e:04:3d:29:2c:0b:c3:96:aa:9f:a1:b9:5a:a8:
                    37:8d:8a:7c:71:32:64:c4:d3:85:d3:78:0e:f3:9c:
                    8f:05:d7:5a:03:1b:67:d6:42:3b:3f:0e:cc:95:f3:
                    2d:cf
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                5C:17:CD:7A:5D:9F:DC:01:DF:37:3E:7C:3D:61:50:CB:7D:0C:78:87
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:fellowship.local, DNS:magento-vanilla.local, DNS:dotjs.local, DNS:dotcss.local
            Netscape Comment: 
                OpenSSL Generated Certificate
    Signature Algorithm: sha256WithRSAEncryption
         4d:f2:7c:bf:68:72:63:ad:e8:82:d3:59:0b:28:4d:22:f9:a4:
         a4:64:49:5e:f2:8a:29:09:21:2f:2e:c8:41:e9:8b:fb:52:ed:
         b4:8d:38:22:ad:3b:fa:2d:6f:d6:71:90:2a:cf:a0:86:20:b9:
         41:12:b2:e6:20:1b:88:a1:da:40:27:a0:89:a8:8e:51:38:ed:
         16:ab:96:6b:15:bd:80:96:32:5c:e9:a3:42:88:22:b4:98:f6:
         f1:07:0b:8c:35:44:36:65:f5:21:56:f8:68:22:3c:7e:49:c6:
         8e:1d:da:28:7a:fa:e0:15:d2:69:a9:13:0f:e1:de:ee:3b:0f:
         ef:b9:2e:09:49:af:88:ce:2f:c0:d2:79:7a:9c:7a:31:1d:34:
         bc:af:70:9d:da:63:bc:10:c1:9e:12:4f:90:03:37:c4:ea:b4:
         d6:f0:fc:c3:94:ac:95:e2:ab:bd:54:62:dd:cb:58:96:b2:92:
         f9:7c:bc:21:e4:a4:a9:d0:70:83:62:b3:98:fd:20:e1:e5:37:
         0b:95:3a:28:3d:41:17:03:47:c2:c1:f3:4a:59:da:eb:d8:55:
         d6:a9:9b:83:e5:49:3d:23:92:91:98:14:2e:d5:06:55:d9:77:
         90:48:21:ec:1b:9e:1b:84:85:36:ec:4f:86:50:de:fb:71:d9:
         2a:06:9f:77

I have #ed out my email and location

Edit 2:

Here is the new certificate I have generated with a new CN and serial number.

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = Jonathan Hodgson Ltd, emailAddress = ##########, L = ######, ST = ######, C = #########, CN = JonathanHodgsonAuthority
        Validity
            Not Before: Sep 25 13:13:46 2017 GMT
            Not After : Dec 12 13:13:46 2025 GMT
        Subject: C = GB, ST = ########, O = Jonathan Hodgson Ltd, CN = MyNewCN
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ae:b3:b5:18:06:e5:91:05:90:80:57:6a:8d:78:
                    50:94:09:b6:73:e6:4c:4e:5f:8c:f0:e3:8e:5b:bb:
                    09:f7:4c:6d:c2:c4:4a:ba:bb:7d:c3:53:1c:98:98:
                    2a:ea:be:8a:7f:cd:de:58:d8:74:2b:c1:5c:a9:44:
                    24:17:49:7e:6a:87:8d:a0:55:f8:71:b3:93:e3:b2:
                    fe:5b:88:7a:2a:45:15:3e:eb:94:c7:a2:26:74:db:
                    9e:58:84:45:cc:db:f9:4b:51:22:25:c0:27:ca:47:
                    76:6e:05:a6:5b:6d:74:a2:92:0e:67:d4:5c:bf:08:
                    cf:78:d9:95:f2:55:d1:ec:d4:78:ff:02:64:16:b9:
                    79:44:06:39:4e:bb:d0:a2:9d:91:93:b5:43:68:39:
                    f2:22:f3:0a:b4:eb:5c:1b:d1:54:51:4f:ac:23:43:
                    08:66:8e:a3:57:8c:51:ab:12:ec:7d:32:de:1f:a8:
                    e1:d8:99:c6:b2:94:87:e0:7a:8e:80:75:fe:44:10:
                    e6:1c:86:dd:90:c9:1f:0e:2f:3f:3e:fb:af:c7:dc:
                    0a:60:d3:2c:78:a3:62:0f:9a:e6:91:12:bc:e3:1c:
                    77:a7:31:04:23:b3:82:11:3c:d4:cc:5e:ae:71:fd:
                    8f:7c:12:b5:88:33:92:f5:6b:71:6f:cb:0b:93:bd:
                    13:b1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                6E:66:B9:C8:57:03:81:E4:2D:99:7C:78:28:B1:E3:36:D4:4B:C5:76
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:fellowship.local, DNS:magento-vanilla.local, DNS:dotjs.local, DNS:dotcss.local
            Netscape Comment: 
                OpenSSL Generated Certificate
    Signature Algorithm: sha256WithRSAEncryption
         4d:73:39:76:88:5e:01:d5:80:8e:4e:b9:11:2d:99:6f:a5:6a:
         f9:6f:1b:07:e4:7c:5e:ca:24:36:c0:55:bf:10:71:c8:57:0b:
         16:67:97:75:80:ce:7b:f2:d7:38:6f:cd:d3:00:7d:5a:76:db:
         7f:90:ad:12:47:8a:e6:4c:b0:16:cb:ab:be:89:4c:3f:6d:7d:
         a0:72:a2:18:93:8a:1c:a8:b9:12:70:c8:b2:8d:81:49:61:62:
         80:b1:04:c3:a2:de:22:d2:7f:2d:65:6e:1d:49:6a:65:7c:3f:
         2f:8b:9f:5f:6d:1d:4b:c5:04:ad:37:c9:e4:c3:1b:5e:03:0e:
         60:8b:6c:09:46:71:e1:02:b9:94:9c:14:87:94:aa:e0:93:05:
         b9:df:f6:c2:99:b4:c8:62:c0:49:bb:97:dc:b9:a7:75:4e:55:
         d8:06:49:07:2d:d4:7e:cf:be:89:63:f6:91:22:ca:e0:d5:65:
         e4:73:88:0a:c1:d9:d5:a0:75:db:b3:41:d6:05:cb:62:7b:19:
         01:de:62:d2:4d:7d:86:88:32:a8:8e:84:f6:96:6a:53:77:31:
         7a:62:46:66:6a:7b:56:0e:89:77:0b:fb:e0:34:f3:ae:f2:08:
         c5:81:ab:dd:3e:19:0a:59:eb:b2:44:e7:c8:f0:a5:30:a2:ae:
         06:f3:e1:9e

Here is Solutions:

We have many solutions to this problem, But we recommend you to use the first solution because it is tested & true solution that will 100% work for you.

Solution 1

You are seeing this message because your certificate is a version 1 certificate but includes extensions (extensions were introduced in version 3 of the X.509 standard).

This seems to be a feature of the OpenSSL CA command. It will only set the version to 3 if it believes it has added an extension to the certificate. If it simply copies an extension from the request through to the certificate using the copy_extensions = copyall (or = copy) option, it seems to fail to spot that the generated certificate has an extension and marks it as version 1. I’ve raised a bug report for this (which was fixed in a matter of hours!).

Either recompile OpenSSL with the patch applied, or to work around this, define an extension section in your config file, but don’t define any extensions within that section. Add a line to the [ CA_defaults ] section as follows:

x509_extensions = cert_ext

At the bottom of the file, define an empty cert_ext section:

[ cert_ext ]

Any certificates you now generate will be version 3 and Chrome 63 won’t complain.

Note that you cannot downgrade to version 1 certificates (without extensions) as Chrome has stopped accepting hostnames in the Subject’s commonName field (which is how they were defined in the absence of a Subject Alternate Names extensions) since Chrome version 58. Firefox, on the other hand, will quite happily work with version 1 certificates.

Note: Use and implement solution 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply