Imported cert into firefox/chrome, still warning

4

I generated a wildcard certificate for multiple (wildcard) domains (SANS, alternate domain names + IP) (see https://blog.flowl.info).

enter image description here

I imported the certificate into Firefox, Chrome and Windows certificate Storage. but when I visit one of my sites it still asks me wether to trust that cert or not (untrusted).

I expect Firefox/Chrome to trust a site when I imported the cert.

Where is the mistake?

Update:

I generated the cert this way:

openssl genrsa -out flowl-2014-2.key 4096

openssl req -new -out flowl-2014-2.csr -key flowl-2014-2.key -config openssl.conf

openssl x509 -req -days 365 -in flowl-2014-2.csr -signkey flowl-2014-2.key -out flowl-2014-2.crt -extensions v3_req -extfile openssl.conf

With config:

[req]
req_extensions = v3_req

[v3_req]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.flowl.info
#..... all the domains
IP.1 = #...the ip(s)

Update:

I generated a .p12 file of my keys/certs and imported that into Firefox, restarted, but it STILL shows my site as untrusted and asks to add an exception....

Update:

The self signed x509 cert isn't online anymore, I use a CA cert to sign my own cert now like suggested in the accepted answer. It seems a self-signed x509 wildcard cert cannot be imported into the browsers manually and permanently - I tried everything and always got a warning. It works with the CA signed cert now.

Daniel W.

Posted 2014-06-11T11:55:22.727

Reputation: 1 462

Dauerhaft = permanent – Daniel W. – 2014-06-11T11:56:04.497

1+1 for providing a real URL with a real certificate to look at. – jww – 2014-06-12T07:04:37.127

"I imported the certificate into Firefox, Chrome and Windows certificate Storage. but when I visit one of my sites it still asks me wether to trust that cert or not (untrusted)." - what exactly, did you import? Did you import your CA (the issuer C=DE, ST=Hamburg, L=Hamburg, O=flowl.info, OU=flowl.info, CN=Daniel Wendler/emailAddress=daniel.wendler.hamburg@gmail.com)? Or was it the server certificate? If the server certificate, where exactly did you put it in Chrome? – jww – 2014-06-12T07:07:48.720

@noloader I imported the x509 self signed certificate which is not active anymore, I'm now using my own CA cert like suggested in the answer below - this works with all browsers. I imported the same certificate manually which the browsers let me add automatically when I hit "download cert.. (add permanently).. continue anyways". In Chrome: Settings -> advanced settings -> certificates -> import. – Daniel W. – 2014-06-12T07:30:07.367

Answers

1

what you can do is generate a self signed CA (Certification Authority), and then use it to sign a domain or more, even a starred domain (*.flowl.info).

I've done it for my server: https://dev.fouin.org/ (i have a Startcom for https://www.fouin.org, and all the other virtualhosts uses a *.fouin.org which i signed with my sefl signed AC).

hope it helps, even if it's not exactly what you asked.

pataluc

Posted 2014-06-11T11:55:22.727

Reputation: 580

It was a little bit trouble setting this up but it works like a charm, thank you! – Daniel W. – 2014-06-11T14:45:40.347

Asked: 2014-06-11T11:55:22.727

Viewed: 1 024 times

Active: 2014-06-12T07:32:49.770