Invalid certificate

ArthurMesa

Cadet
Joined
Aug 14, 2019
Messages
4
Hey everyone,

Im trying to setup TLS for my ftp and used the guide in this link

https://www.youtube.com/watch?v=OT1Le5VQIc0

to setup a CA and Certificate but I keeps saying my certificate is invalid in chrome

Im using FreeNAS-11.2-U5

I've been trying to search what the issue might be but havent figured it out yet so any ideas would be helpful.

Thanks
 

Heracles

Wizard
Joined
Feb 2, 2018
Messages
1,401
Hey Arthur,

Did you import your home made root CA in Chrome ?

If you did, are you sure you created a Server certificate and not a User certificate ?

Also, know that Chrome requires you to add the server's name as a SAN and not only in the CN.

I am pretty sure your problem is somewhere between these 3 points...

Good luck troubleshooting,
 

ArthurMesa

Cadet
Joined
Aug 14, 2019
Messages
4
Thanks for the response.

Its definitely a chrome issues because I just tried the same method in firefox and it works fine.

How do I know if its a server certificate or a user certificate (the one I made is called "internal certificate")

And where do I go to add the SAN within chrome?

Thanks again for the response Ill continue to try things.
 

Heracles

Wizard
Joined
Feb 2, 2018
Messages
1,401
Hey again Arthur,

If it is working with Firefox and not Chrome, then you can be sure of the problem : Your certificate does not have the proper SAN and that is why it is flagged as invalid by Chrome.

It is too late to add the SAN to this certificate. You will need to create a brand new one. Depending of which tool you are using to create the certificate, the SAN (Subject Alternative Name) will be included in different ways. It can be asked for in a CSR (Certificate Signing Request) and / or added by the CA at the moment it signs the certificate.

Do your search about that / Try to re-do your certificate looking for the place to put extra or alternate names and be sure to re-use the same name you used for CN as a first SAN. You can add more if you wish, but to have the first SAN matching the CN is what is laking in your actual certificate.

Good luck fixing that,
 

Fredda

Guru
Joined
Jul 9, 2019
Messages
608
Its definitely a chrome issues because I just tried the same method in firefox and it works fine.
Firefox and Chrome use different ceritficate stores. While firefox has its own store chrome uses the windows certificate store.
Not 100% sure if I recall correctly as it has been a while, but import the CA certificate via the Windows certificate store into
the trusted root certificates section. Do not do it by opening the certificate via chrome or internet explorer.
When I tried it that way, the certificate always ended up in the wrong store.
(assuming you are using Windows on your computer)
 
Top