I have a self-generated CA, and a generated certificate. The certificate is valid:
» openssl verify -verbose -x509_strict -CAfile rootCA.pem mysite.bundle.crt mysite.bundle.crt: OK The root CA is installed in my system (Ubuntu 16.04), and curl is able to validate the cert:
curl No complains here.
I can verify the cert chain in the running site, and everything seems ok, including the SAN entries:
» openssl s_client -showcerts -servername mysite -connect mysite:443 </dev/null 2> /dev/null | openssl x509 -noout -text | grep DNS: DNS:mysite But Chrome still complains. What could be the reason?
EDIT
Adding screenshot
21 Answer
Contrary to curl or s_client neither Chrome nor Firefox use the systems CA store on Ubuntu. They have their own trust store and you need to import the CA certificate into their specific store in order to be treated as trusted. To access the trust store of Chrome use chrome://settings/certificates.
