.net-corewindows-10certificateubuntu-18.04certificate-authority

OpenSSL created Certificate Authority works with Windows 10 but not Ubuntu

I create my own Certificate Authority using OpenSSL.
I put the created root certificate on Windows 10 and Ubuntu 18.04.
I create a signed certificate which is used in a .NET Core Server (running on Ubuntu).
When accessing the server on Windows 10 using Chrome, the certifiate is valid/secure.
When accessing on Ubuntu, the certificate is invalid.

Here are the steps I took:

Create a CA

openssl genrsa -des3 -out self-ca.key -passout pass:password 2048
openssl req -x509 -new -nodes -key self-ca.key -sha256 -days 1825 -out self-ca.pem -passin pass:password

Install CA on Ubuntu

openssl x509 -outform der -in self-ca.pem -out self-ca.crt
cp self-ca.crt /usr/local/share/ca-certificates/.
update-ca-certificates

Install CA on Windows

Place certificate under Trusted Root Authorities

Create Certificate

req.conf file:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CA
ST = ON
O = Self Certificate
CN = www.<mysite>.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.<mysite>.com

Certificate commands

openssl genrsa -out self.key 2048
openssl req -new -sha256 -key self.key -config req.conf -out self.csr
openssl x509 -req -in self.csr -CA self-ca.pem -CAkey self-ca.key -CAcreateserial -out self.crt -days 1095 -sha256 -extensions v3_req -extfile req.conf -passin pass:password

Create pfx file for use with .NET Core Server:

openssl pkcs12 -export -inkey self.key -in self.crt -out self.pfx
Solution

  • Chrome in Ubuntu uses NSS database instead of global /etc/ssl storage.

    The command certutil can be used to import your certificate to the user-level NSS db.

    Install certutil: sudo apt install libnss3-tools

    Add your CA certificate: certutil -d sql:$HOME/.pki/nssdb/ -A -n "My private CA" -i CA_cert.pem -t "C,C,C"

    This command will install the certificate from file CA_Cert.pem under the name My private CA as trusted root for SSL cerver certificates, S/MIME certificates and code signing sertificates.

    To check that the certificate is installed: certutil -L -d sql:$HOME/.pki/nssdb/