Chrome shows site as "Not Secure" (Cert Invalid), but certificate is correct

I have a self-generated CA, and a generated certificate. The certificate is valid:

» openssl verify -verbose -x509_strict -CAfile rootCA.pem mysite.bundle.crt
mysite.bundle.crt: OK

The root CA is installed in my system (Ubuntu 16.04), and curl is able to validate the cert:

curl https://mysite

No complains here.

I can verify the cert chain in the running site, and everything seems ok, including the SAN entries:

» openssl s_client -showcerts -servername mysite -connect mysite:443 </dev/null 2> /dev/null | openssl x509 -noout -text | grep DNS:
                DNS:mysite

But Chrome still complains. What could be the reason?

EDIT

Adding screenshot

dangonfast

Posted 2018-03-20T14:55:33.430

Reputation: 1 878

Chrome usually shows a specific error code. Can you provide it? – user1686 – 2018-03-20T15:23:04.973

@grawity there is no error code per se, but some details. I have added a screenshot. I can add more if needed. – dangonfast – 2018-03-20T15:30:42.907

Answers

Contrary to curl or s_client neither Chrome nor Firefox use the systems CA store on Ubuntu. They have their own trust store and you need to import the CA certificate into their specific store in order to be treated as trusted. To access the trust store of Chrome use chrome://settings/certificates.

Steffen Ullrich

Posted 2018-03-20T14:55:33.430

Reputation: 3 897

Thanks. Are you sure? This comment to another question of mine says the opposite

– dangonfast – 2018-03-20T15:35:30.670

@dangonfast: Yes I'm sure. Just have a look at the store yourself by using chrome://settings/certificates and see if you find the certificates you've added to the global store there. Chrome does use the system CA store on Windows and Mac but not on Linux. Firefox uses its own store on all platforms. – Steffen Ullrich – 2018-03-20T15:37:18.077

Indeed, that link should be in your answer too! :) And those are the only ones used by Chrome, not on top of the system ones? – dangonfast – 2018-03-20T15:40:44.927

@dangonfast: From my experience these are the only ones. – Steffen Ullrich – 2018-03-20T15:42:58.720

After adding the self-generated CA root certificate to the Chrome store, it shows as valid. Thanks! – dangonfast – 2018-03-20T15:56:09.363

1@dangonfast You never specified what OS. A tag doesn’t count. – Ramhound – 2018-03-20T17:49:56.720