Sorted. The below works, alternatively you could recreate the selfsigncert on you domain controller cert server but add the addtional 'subjective alternate name' entries ( which is the same as the cn entry plus any other dns name's associated to the same ip) then convert the pfx file to a keystore type....etc:
Here are my instructions using the KeyStore Explorer tool.
The 2 things I was previously missing when I created the cert were:
- AKID (Authority Key Identifier) - select the same "CN=" you used when creating it.
- Adding in the "Basic Constraints" option (do not select "is a CA")
Without those 2 things Chrome will issue warnings / errors even when you have installed the self-signed certificate into your MS-CAPI PKI Trust store (as a "Trusted Root Authority).
Here are the steps I used.
- Instructions using KSE (KeyStore Explorer)
- Create a JKS
- Creating a self-signed certificate
- Open KeyStore Explorer
- File | New | JKS | OK
- Create a Password for your JKS file
- File | Save as... | enter your password
- Enter file name | OK
- Tools | Generate Key Pair
- Select Algorithm and Key Size (i.e. 2048) | OK
- Select validity period (i.e. 5 years)
- Select Name (Book icon) | Enter in Name fields | OK
- I.e. “CN=localhost…”
- Add Extensions (Very Important), this determines what type of certificate it will be and how it can be used. This example will be for a standard server certificate with SSL.
- Add in the Key Usage item
- Add in the Digital Signature and Key Encipherment options checkbox
- Add in the EKU (Extended Key Usage) options
- Select both of these options:
- TLS Web Client Authentication
- TLS Web Server Authentication
- Add in the SANs (Subject Alternative Name)
- Add in all the needed DNS names and IP Addresses (if applicable) for which this server will be used. (repeat for all desired values) (e.g. 127.0.0.1 and localhost (or )
- It will look something like this when it's done
- When it's done you will see all the fields with the OIDs (Object Identifiers) listed | OK | OK
- Add in the AKID (Authority Key Identifier)
- Add Extensions "+"
- Add Extension Type | Authority Key Identifier
- Select the Authority Cert Issuer of the CN that you created above (.e.g "CN=localhost...") | OK
- Add in a "Basic Constraints" (do NOT check "Subject is a CA")
- When you're done you'll see these listed: hit "OK"
- Note: the Basic Constraints and AKID (Authority Key Identifer) are needed for the Chrome Browser to validate the self-signed certificate as a trusted certificate.
- Otherwise you'll see warning or error messages even after you have add this certificate, explicitly, to your MS-CAPI Trusted Root certificates.
- Enter in the Alias of the keypair name you want to use
- Enter in the private keypair password
- *Note: this password MUST be the same as the JKS file keystore password or Java may fail silently when trying to use this certificate.
- You should see a message indicating success. | OK
- Then, save the File | Save.
- Then, right click in KeyStore Explorer and select "export" the "public key". You can then save this as either a .p7 or .cer / .crt extension. Once you have that file you can then import your .cer file into trusted certs via 'Internet Options, Content tab....etc
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.