sslnginxopensslssl-certificatecertificate-store

How to get Chrome/browser to accept my SSL cert (signed by intermediate cert for my own CA)


I come from a DEV background, but trying to improve my sec/ops skills to become more versatile.

I've set up my own local certificate authority following this guide (albeit fairly loosely).

I successfully created a root pair (key & cert), an intermediate pair, and a server pair for test.mydomain.com.

I then configured nginx as a service proxy to an Node.js web API (served by Express FWIW). Both nginx and the nodejs service are containerised and I'm just using docker-compose to run this locally. I've also added a hosts entry so that I can access my service using test.mydomain.com. Eventually I want to implement the service-proxy/sidecar pattern in Kubernetes (where nginx and the (micro)service run in the same pod), but for now I'm just trying to get it working in docker.

It was all working over HTTP, so the next step is to get it working for HTTPS (where TLS terminates at the nginx service-proxy and the request then gets proxied to the Node.js service over HTTP). It is working, but I can't get my browser (Chrome running in Windows) to accept my certificate.

enter image description here

I've tried a few combinations of importing certificates into Windows certificate stores including:

but I can't get Chrome to accept my certificate.

FYI nginx is configured as follows

ssl_certificate /etc/ssl/test.mydomain.com.cert.pem;
ssl_certificate_key /etc/ssl/private/test.mydomain.com.key.pem;

Should I be chaining the server, intermediate, & root certs for the ssl_certificate setting in nginx?.. and what certificate (or chained certificate) should I be importing to which certificate store?

I also noticed there's a ssl_trusted_certificate nginx setting, which I'm not sure if I should be using...

Cheers, Ryan.


Solution

  • Ok, so I finally got it all working. There were a few things...

    I managed to get things working in Firefox first, but Chrome was still failing. This was the clue that I needed - turns out Chrome requires certificates to include one or more Subject Alternative Names as opposed to just a Common Name (which is evidently acceptible to Firefox).

    I had to configure Subject Alternative Names when I created and signed the certificate request.

    The rest was fairly easy.

    In nginx, ssl_certificate is pointing at a chained certificate (server cert + intermediate cert).

    and then I had to import the root certificate into the trusted root CAs for the local computer.

    Restart chrome and voila:

    enter image description here