'How to share Self-signed TLS certificate between websites

I've two website within same domain example app1.test.local and app2.test.lcaol. Below is the procedure using which I've generated the self-signed certificate.

  • Create a private key.
openssl genrsa -out tls.key 2048
  • Edit openssl.conf file and update req_distinguished_name and alt_names contents.
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName = IN
countryName_default = IN
stateOrProvinceName = KA
stateOrProvinceName_default = KA
localityName = Test
localityName_default = Test
organizationalUnitName = test
organizationalUnitName_default = test
commonName = *.test.local
commonName_max = 64
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.test.local
  • Create certificate signing request
openssl req -new -out tls.csr -key tls.key -config openssl.cnf
  • Sign the SSL Certificate.
openssl x509 -req -days 3650 -in tls.csr -signkey tls.key -out tls.crt -extensions v3_req -extfile openssl.cnf

From the view certificate option of browser I can see both SAN and CN has *.test.local as the value. However when I launch application app2 from app1 browser again prompts for trusting the certificate [The certificate is not trusted because it is self-signed.].

Question: How to prevent browser from prompting to Accept the risk and Continue multiple times for the same certificate but from different websites for self-signed certificates.

sslopensslssl-certificatewebserverkubernetes-ingress


Solution 1:[1]

How to prevent browser from prompting to Accept the risk and Continue multiple times for the same certificate but from different websites for self-signed certificates.

Overriding the warning of a certificate will only affect the currently used domain and not every domain in the certificate. Otherwise somebody could create a certificate for some innocent site but which also includes an SAN of an important site like paypal.com - and later reuse the certificate to impersonate the important site.

To make a certificate trusted for all domains given in the certificate one need to explicitly import the certificate as trusted into the browsers trust store instead of simply ignoring certificate warnings.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Steffen Ullrich

Related Questions

Solving sslv3 alert handshake failure when trying to use a client certificate

make fails to build squid with openssl (deprecated functions used)

Create PKCS#1 formatted RSA key using OpenSSL v3.0.0

Mongodb SSL - unable to get issuer certificate

Convert p12 APNS certificate to base64 string

SSL Error Certificate subject name does not match target host for github.com

How to get configuration.h from configuration.h.in in OpenSSL?

Error opening CA private key when Create the intermediate pair

Create compatible Java "RSA" signature using a PKCS#8 encoded private key

How do I use a X509 certificate with PyCrypto?

gem eventmachine fatal error: 'openssl/ssl.h' file not found

SSL error unsafe legacy renegotiation disabled

PHP Startup: Unable to load dynamic library 'openssl' in Ubuntu

builder error: 'openssl/rand.h' not found [Windows 10]

Building Python 3.7.1 - SSL module failed