Geek Answers Handbook

My ssl certificate does not trust

I made a certificate on my server using the following command:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

and configured everything correctly, because my site is accessible if the type is https other than http. But there is a problem. My certificate is not trustworthy.

Firefox Tips:

 sec_error_untrusted_issuer

And Chrome:

 NET::ERR_CERT_AUTHORITY_INVALID

Is there a way to make my certificate reliable? So, the error did not occur?

From coz, I can take the risk and go to the site, but those who visit my site through https will not like it.

+7
linux apache openssl
source share
2 answers

Firefox: Go to the https page. Below is the option: "I understand the risks." Enlarge this section and add an exception.

Chrome: It's a little trickier. You must save the certificate provided by the web server in your file system and then import the certificate into Chrome. Settings β†’ Advanced settings β†’ HTTPS / SSL β†’ Certificate management β†’ Servers β†’ Import.

If you want outside people to use your site, you need to get a certificate signed by a certification authority. Then you use this signed certificate on your web server.

+10
source share

The owner of the certificate (the one who issues the certificate) must trust the browser. Self-signed certificates are not trusted by default. Therefore, the certificate must be manually accepted by the user, which is not something big, and in Chrome it is strangely very complicated.

For administration areas and only for working with pro-users, this is not a problem, but this cannot be expected for the general public.

If you have your own IP address, this is not difficult, because places like startssl have free certificates, and registrars like gandi.net provide 1 year of free certificate.

If you have a shared IP address with other users, there are several clients that won’t be able to navigate efficiently (since there is only one SSL listener on the IP address). Windows XP (all browsers), Android 2.x, and Blackberry 7.x do not support the SSL negotiation extension, which includes the domain name.

Note Now it is August 2017 and many other sections do not support SNI, as well as the free (and fairly easy to use) SSL Certificates LetsEncrypt .

+3
source share

More articles:


All Articles