Warning from self-signed certificate using OpenSSL

Question

I've generated a self-signed certificate using this command, with CN equal to "localhost": openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out cert.pem -keyout private.pem

(from https://gist.github.com/SeanPesce/af5f6b7665305b4c45941634ff725b7a)

When I execute the server with certificate and private key, and go to localhost, I get the warning from Firefox telling me that the certificate is self-signed, which was expected. But after importing the certificate as a CA, I get another warning:

*Error code: MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY

https://localhost/

The server uses a certificate with a basic constraints extension identifying it as a certificate authority. For a properly-issued certificate, this should not be the case.

HTTP Strict Transport Security: false HTTP Public Key Pinning: false*

How do I solve the warning?

Answer 1

Problem

I think you are using the Certificate Authority certificate instead of a normal certificate on your server. CA_CERT_USED_AS_END_ENTITY seems to say that. You should use a sub-certificate generated from the CA.

Create the certificate

I've had a very similar issue, and created a tool for automatizing the process and make it easier to create self-signed certificates that are valid:

• Github / Self-Signed Certificates Generator

The process is quite simple:

• Clone the repository
• Execute the script generate_certificate.sh
• Follow the flow (and read the README)

Don't forget to have the correct name in the certificate mapping to your website or service, you should use a file containing the config with DNS:localhost or IP:"127.0.0.1 (you might have to include the port number).

Installing the certificate on the server

On the server, you need to use the hostname.priv.key for the key and the chain hostname.chain.pem for the public certificate.

You should not use the Root Certificate (CA), but a certificate generated from the CA.

Trust the certificate on the client

You only need to trust the Certificate Authority (CA). There is also a full explanation on how to get it trusted by the different devices on the project page. On Firefox I think you can (and must? ) import the CA.pem directly in Firefox under the security settings, but importing it on the host might just work as well, you need to test.

On a lower level, Christian Lempa made a very useful SSL Certificates Cheatsheet.

Let me know if my answer was helpful !