4
I generated a wildcard certificate for multiple (wildcard) domains (SANS, alternate domain names + IP) (see https://blog.flowl.info).
I imported the certificate into Firefox, Chrome and Windows certificate Storage. but when I visit one of my sites it still asks me wether to trust that cert or not (untrusted).
I expect Firefox/Chrome to trust a site when I imported the cert.
Where is the mistake?
Update:
I generated the cert this way:
openssl genrsa -out flowl-2014-2.key 4096
openssl req -new -out flowl-2014-2.csr -key flowl-2014-2.key -config openssl.conf
openssl x509 -req -days 365 -in flowl-2014-2.csr -signkey flowl-2014-2.key -out flowl-2014-2.crt -extensions v3_req -extfile openssl.conf
With config:
[req]
req_extensions = v3_req
[v3_req]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.flowl.info
#..... all the domains
IP.1 = #...the ip(s)
Update:
I generated a .p12
file of my keys/certs and imported that into Firefox, restarted, but it STILL shows my site as untrusted and asks to add an exception....
Update:
The self signed x509 cert isn't online anymore, I use a CA cert to sign my own cert now like suggested in the accepted answer. It seems a self-signed x509 wildcard cert cannot be imported into the browsers manually and permanently - I tried everything and always got a warning. It works with the CA signed cert now.
Dauerhaft = permanent – Daniel W. – 2014-06-11T11:56:04.497
1+1 for providing a real URL with a real certificate to look at. – jww – 2014-06-12T07:04:37.127
"I imported the certificate into Firefox, Chrome and Windows certificate Storage. but when I visit one of my sites it still asks me wether to trust that cert or not (untrusted)." - what exactly, did you import? Did you import your CA (the issuer
C=DE, ST=Hamburg, L=Hamburg, O=flowl.info, OU=flowl.info, CN=Daniel Wendler/emailAddress=daniel.wendler.hamburg@gmail.com
)? Or was it the server certificate? If the server certificate, where exactly did you put it in Chrome? – jww – 2014-06-12T07:07:48.720@noloader I imported the x509 self signed certificate which is not active anymore, I'm now using my own CA cert like suggested in the answer below - this works with all browsers. I imported the same certificate manually which the browsers let me add automatically when I hit "download cert.. (add permanently).. continue anyways". In Chrome: Settings -> advanced settings -> certificates -> import. – Daniel W. – 2014-06-12T07:30:07.367