Geek Answers Handbook

Self-signed SSL certificate for localhost, how to make trusted

I have a C # application for self-hosting Owin, which provides web API services compared to 127.0.0.1/10555 (it only listens on localhost, no external connections).

These web API services are called using Ajax from an AngularJS application. Aside: the reason for the Owin application is that it requires some interaction with the hardware, which is not possible in the browser. In addition, the AngularJS application is intended for internal use, so I control the browsers used.

The above works very well over HTTP, but for an Angular JS application, you must use SSL, which does not work if the Owin application also does not use SSL (otherwise you will get "mixed content" errors).

I bought an official certificate for an AngularJS application, and I use self-signed certificates for Owin localhost files.

The problem is that I get "NET :: ERR_CERT_AUTHORITY_INVALID" (when testing from Chrome) and "net :: ERR_INSECURE_RESPONSE" from an AngularJS application when talking to Owin Web API.

Here is what I did with wide strokes:

I used the CentOS field to create a certificate for localhost and exported it in pkcs12 / pfx format. I also generated a CA certificate and exported it in the same way.

Using MMC, I imported the localhost certificate to a Windows 7 machine running Angular and Owin applications into certificates (local computer)> personal> certificates.

I also imported a CA certificate on a Windows 7 machine into certificates (local computer)> Trusted Root Certification Auhorities> Certificates

Looking at the localhost certificate, he says "Issued to: localhost", Issued by: "ca.acme.com", "You have a private key that matches this certificate" (along the certification path) "This certificate is Ok"

CA cert says: "Issued: ca.acme.com", issued: "ca.acme.com", "You have a private key that matches this certificate" (along the certification path) "This certificate is Ok"

netsh http show sslcert IP:port : 127.0.0.1:5555 Certificate Hash : 1234555555555555555555511155555555555555 Application ID : {1234a123-1234-1234-1234-123412341234} Certificate Store Name : (null) Verify Client Certificate Revocation : Enabled Verify Revocation Using Cached Client Certificate Only : Disabled Usage Check : Enabled Revocation Freshness Time : 0 URL Retrieval Timeout : 0 Ctl Identifier : (null) Ctl Store Name : (null) DS Mapper Usage : Disabled Negotiate Client Certificate : Disabled

What am I missing? How to force Chrome, etc. Trust SSL certificate for localhost?

+7
javascript security ssl ssl-certificate
source share
3 answers

I got this job (at least for my current needs).

I copied the localhost certificate from "Certificates ( Local Computer )> Personal> Certificates" to "Certificates ( Current User )> Personal> Certificates". This eliminated the need to redraw cross https in Chrome (and the message "NET :: ERR_CERT_AUTHORITY_INVALID"), as well as the error "net :: ERR_INSECURE_RESPONSE" in AngularJS.

Please note that in my case the localhost certificate must be located both in the local computer storage and in the current user's storage, otherwise the netsh command to bind to port 5555 (for the Owin application) will fail:

 netsh http add sslcert ipport=127.0.0.1:5555 certhash=1234555555555555555555511155555555555555 appid={1234a123-1234-1234-1234-123412341234} SSL Certificate add failed, Error: 1312, A specified logon session does not exist. It may already have been terminated.

Chrome still does not have a beautiful green padlock (now it has a yellow triangle on the pad lock), "The identity of this site has been verified by ca.acme.com, but it does not have public audit records") but this does not seem to interfere with the interaction with the Web API, so everything should be fine.

If anyone knows a simple way to make everything green and pleasant without warning, I'm still interested, but this is not critical.

+5
source share

On Linux, I had apt-gt install libnss3-tools

With libnss3-tools you get certutil

Now the key command:

 certutil -d sql:$HOME/.pki/nssdb -A -t "CP,CP," -n <your alias> -i <your crt-file to import>

This is the solution to all my Chrome issues on Raspberry / Linux

0
source share

Not; you will not be able to obtain a certificate for "localhost" professionally signed by any reputable SSL provider, because "localhost" is not under the domain name that belongs to you. (Indeed, it’s not exactly a domain name at all, it’s a bare host name.)

You may be able to create a real domain name (for example, localhost.example.com) that will resolve 127.0.0.1 and receive a certificate for the signed one, but this is rather doubtful. Some SSL providers may not sign it anyway. It's worth a try though!

-2
source share

More articles:


All Articles