How to add subjectAltName values to server.crt?

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Re: How to add subjectAltName values to server.crt?

Postby joaopoa » 28. April 2017 19:22

Thank you Faospark,
When running makecert.bat returns:
Could not find C: \ WINDOWS \ system32 \ .rnd
C: \ WINDOWS \ system32 \ privkey.pem could not be found
Could not find C: \ WINDOWS \ system32 \ server.csr
joaopoa
 
Posts: 2
Joined: 28. April 2017 19:13
XAMPP version: 3.2.2
Operating System: win 10

Re: How to add subjectAltName values to server.crt?

Postby joaopoa » 28. April 2017 19:27

TomXampp,
I solved firefox by simply importing server.crt, in advanced -> authorities -> import
But I still fight with the chrome ...
joaopoa
 
Posts: 2
Joined: 28. April 2017 19:13
XAMPP version: 3.2.2
Operating System: win 10

Re: How to add subjectAltName values to server.crt?

Postby TomXampp » 28. April 2017 21:48

When I try to import the certificate into the Authorities group in Firefox, I receive the following error message:

Code: Select all
This is not a certificate authority certificate, so it can’t be imported into the certificate authority list.


This certificate is generated following Faospark's method, and it is recognized by Chrome, Opera, and IE.
TomXampp
 
Posts: 57
Joined: 12. March 2015 03:58
Operating System: Windows 8.1

Re: How to add subjectAltName values to server.crt?

Postby faospark » 28. April 2017 23:25

in firefox in my case just open the site on the browser and recieve the warning click the advance tab then click add the exception. a dialogbox would open. click the security excemption button. then you get your greenicon lock icon back.
this is for firefox version 53
User avatar
faospark
 
Posts: 13
Joined: 07. March 2017 11:40
XAMPP version: 7.1.1
Operating System: windows 10

Re: How to add subjectAltName values to server.crt?

Postby faospark » 28. April 2017 23:31

joaopoa wrote:Thank you Faospark,
When running makecert.bat returns:
Could not find C: \ WINDOWS \ system32 \ .rnd
C: \ WINDOWS \ system32 \ privkey.pem could not be found
Could not find C: \ WINDOWS \ system32 \ server.csr


double check your makecert.bat file. make sure to use the local one that is found on your xamp->apache installation. its more likely a case of it specifying the .rnd file and server.csr file on a different location.
here is the full code of my makecert.bat

Code: Select all
@echo off
set OPENSSL_CONF=./conf/openssl.cnf

if not exist .\conf\ssl.crt mkdir .\conf\ssl.crt
if not exist .\conf\ssl.key mkdir .\conf\ssl.key

bin\openssl req -new -out server.csr
bin\openssl rsa -in privkey.pem -out server.key
bin\openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365 -extfile v3.ext

set OPENSSL_CONF=
del .rnd
del privkey.pem
del server.csr

move /y server.crt .\conf\ssl.crt
move /y server.key .\conf\ssl.key

echo.
echo -----
echo Das Zertifikat wurde erstellt.
echo The certificate was provided.
echo.
pause
User avatar
faospark
 
Posts: 13
Joined: 07. March 2017 11:40
XAMPP version: 7.1.1
Operating System: windows 10

Re: How to add subjectAltName values to server.crt?

Postby mikado » 28. September 2017 14:10

Thank you @faospark !!
Was getting ERR_SSL_SERVER_CERT_BAD_FORMAT error on localhost after Chrome 61 update, getting a v3 certificate is indeed the fix as seen here : https://bugs.chromium.org/p/chromium/issues/detail?id=715969#c23

Your instructions fixes ! Kudos !
mikado
 
Posts: 1
Joined: 28. September 2017 14:03
XAMPP version: 3.2.2
Operating System: windows 10

Re: How to add subjectAltName values to server.crt?

Postby WebDevBooster » 14. November 2017 04:26

After following @faospark's instructions from this post:
https://community.apachefriends.org/viewtopic.php?p=256428&sid=57f424751a8e46e0cb39a7ef1f4d52cf#p256489
Here's what I did to install the generated certificate:
double click the server.crt file in C:\xampp\apache\conf\ssl.crt

Then click "install certificate", follow the steps,
select "Place all certificates in the following store"
and select "Trusted Root Certification Authorities".
Restart Apache and you're done.

The certificate works in Chrome, Opera and Edge.
So, no need to import it into those browsers individually.
WebDevBooster
 
Posts: 3
Joined: 14. November 2017 03:59
XAMPP version: 3.2.2
Operating System: Windows 10

Re: How to add subjectAltName values to server.crt?

Postby ntapache » 01. January 2019 14:29

Nobbie wrote:
TomXampp wrote:And, if you truly want to help, you could simply set up your localhost for https and then find the solution using openssl, which is the provided method for making ssl certificates with XAMPP. That would be a truly helpful response.


I am not interested in that issue and neither want to help on it, as i cannot find any use. I am simply a user of Xampp and i simply dont need https on localhost. Why should i waste my time to solve your private problem, which isnt a Xampp problem anyway? Its also a well known problem, that Google and Chrome have their own understanding of security, if you dont like it, simply use another browser, at least a very helpfull hint in my mind. I am not interested to go any deeper in this problem.


It's arrogant people like you that have nothing better to add than negativity. If that is your game, good luck with that.

Xampp has an openSSL tool bundled, fully supports SSL and yet you claim " I am simply a user of Xampp and i simply dont need https on localhost". Get over yourself, there are genuine use cases as the OP has suggested.

As another "user" of xampp for localhost like yourself, I also enable SSL in my xampp local environemnt to develop using https to assist with secure URL paths, compatability of plugins and easy migration.

I came across exactly the same situation and fortunately another forum user was able to provide the solution.

Keep your unhelpful commentary to yourself in future. Sheesh...
ntapache
 
Posts: 1
Joined: 01. January 2019 14:09
XAMPP version: 3.2
Operating System: Windows

Re: How to add subjectAltName values to server.crt?

Postby Nobbie » 01. January 2019 21:19

ntapache wrote:[qurote="Nobbie"]
It's arrogant people like you that have nothing better to add than negativity. If that is your game, good luck with that[


Did you read all my 10.000(!) helpfully postings, before you posted your poor, stupid and arrogant very first posting? Not a nice start for you. Can you get better the next 10.000?

This forum doesn't need knowledgeless idiots who are the only statement to criticize experienced and extremely helpful members. What help can you offer besides stupid talking?
Nobbie
 
Posts: 10987
Joined: 09. March 2008 13:04

Re: How to add subjectAltName values to server.crt?

Postby TomXampp » 04. January 2019 01:21

I know this is an old question, but until recently I had only solved the Same Alternate Name problem for XAMPP SSL certificates for Chrome, IE, and Opera, with Firefox still not responding. I could only make Firefox accept the SSL certificate by adding a permanent exception for it, so it wasn't a true solution to the problem.

Since my last activity on this post, others outside this forum have encountered the same problem and have written their solutions to it. I recently came across this article: https://creativelogic.biz/https-ssl-local-dev-windows/ It provided all I needed to know to be able to solve the problem completely on my system, satisfying Firefox without having to create a permanent exception for the certificate.

The solution is to create your own CA that can sign the SSLs, and to import the PEMs into both the Windows Certificate Manager and Firefox's internal Certificate Manager. That way, the certificate presented by the localhost will be accepted, as the PEM confers authenticity.

However, the author of that article mistakenly assumes that you must use bash to perform the various operations, and doesn't show how to automate it fully. Below is my solution to automating it with the use of 4 batch files. The first batch file sets environment variables; it is called by the central batch files, the second merely unsets the environment variables set in the first. These are called at the beginning and ending of the central batch files, A.BAT and B.BAT.

Those two batch files are to be run in sequence. There is a necessary break between the two so that the PEM created by the first batch file may be imported into Windows and Firefox; the routines in B.BAT require that PEM to be registered with Windows. Text printed to the screen at the end A.BAT provides instruction on how to perform the import on Windows 8.1/10. Text printed at the end of B.BAT provides instruction on what must be changed/edited in the XAMPP set-up to use the new SLL files.

NB: I'm using OpenSSL version 1.0.2e (win32) on Windows 8.1 and Windows 10; later versions of OpenSSL may have changed the names of some of the command-line options, so it would be prudent to check them if you're using a different version of OpenSSL. I'm also using Chrome 71, Firefox 64, IE11, and Opera 56; the solution here works for those browsers on Win8.1/10.

NB: I'm creating certificates that reference localhost and 127.0.0.1 as the SAN entries. You may wish to remove (and save) your existing localhost certificates from the Windows and Firefox Certificate Manager before proceding; backing up all files for your current configuration is, of course, a wise thing to do, in any case.

Batch file: setEnvironmentVariables.bat:

Code: Select all
@echo off
REM This is setEnvironmentVariables.bat
REM
REM This file sets environment variables needed in the A.BAT and B.BAT routines
REM It also writes configurations to a configuration file,
REM by default named config.cnf below (change if desired)
REM
REM A.BAT and B.BAT both call this batch file.
REM
REM Default names are provided for the first 5 variables;
REM you *must* provide something to replace the {{XYZ}} variables that follow.
REM
REM Also, in the A.BAT and B.BAT files, replace "foobar" with an original passphrase

set CAFILE=myCA
set CN=localhost
set CONFIG=config.cnf
set HOSTFILE=myLocalhost
REM Notice that %EXTFILE% requires that %HOSTFILE% be defined before it is defined!
set EXTFILE=%HOSTFILE%.ext
set COUNTRY={{MyCountry}}
set STATE={{MyState}}
set LOCALITY={{MyCity}}
set ORGANIZATION={{MyOrganization}}
set ORGANIZATIONALUNIT={{MyDepartment}}
set EMAIL={{MyEmail}}

REM Write configurations to the config file:

echo [req]> %CONFIG%
echo distinguished_name = req_distinguished_name>> %CONFIG%
echo x509_extensions = v3_req>> %CONFIG%
echo prompt = no>> %CONFIG%
echo [req_distinguished_name]>> %CONFIG%
echo C = %COUNTRY%>> %CONFIG%
echo ST = %STATE%>> %CONFIG%
echo L = %LOCALITY%>> %CONFIG%
echo O = %ORGANIZATION%>> %CONFIG%
echo OU = %ORGANIZATIONALUNIT%>> %CONFIG%
echo CN = %CN%>> %CONFIG%
echo emailAddress = %EMAIL%>> %CONFIG%
echo [v3_req]>> %CONFIG%
echo basicConstraints=CA:TRUE,pathlen:0>> %CONFIG%
echo subjectKeyIdentifier = hash>> %CONFIG%
echo authorityKeyIdentifier = keyid,issuer>> %CONFIG%
echo subjectAltName = @alt_names>> %CONFIG%
echo [alt_names]>> %CONFIG%
echo DNS.1 = %CN%>> %CONFIG%
echo DNS.2 = 127.0.0.1>> %CONFIG%


unsetEnvironmentVariables.bat:

Code: Select all
@echo off
REM This is unsetEnvironmentVariables.bat
set CAFILE=
set CN=
set CONFIG=
set HOSTFILE=
set EXTFILE=
set COUNTRY=
set STATE=
set LOCALITY=
set ORGANIZATION=
set ORGANIZATIONALUNIT=
set EMAIL=


a.bat:

Code: Select all
@echo off
rem This is A.BAT
cls
echo.
echo setEnvironmentVariables.bat is assumed to have been edited!

call setEnvironmentVariables

echo.
echo Creating CA KEY file...
echo.
openssl genrsa -des3 -passout pass:foobar -out %CAFILE%.key 2048
echo.
echo Creating CA PEM file...
echo.
openssl req -passin pass:foobar -x509 -new -nodes -key %CAFILE%.key -sha256 -days 3650 -config %CONFIG% -out %CAFILE%.pem
echo.
echo Next, register the %CAFILE%.PEM file with Windows and Firefox, then run b.bat.
echo Press any key to continue to instructions.
echo.
pause
cls
echo.
echo In Windows:
echo.
echo * Run Winkey-^>MMC
echo * File -^>  Add/Remove Snap-in... (Ctrl^+M)
echo * Under "Available snap-ins", click "Certificates"
echo * Click [Add] button; a modal dialog window will appear
echo * Select "Computer Account" radio button and click [Next] button
echo * Local Computer should be selected in next window; click [Finish] button
echo * Click [OK] back on "Add or Remove Snap-ins" modal window
echo * Expand "Certificates" under "Console Root" in left pane
echo * Expand "Trusted Root Certificates"
echo * Right-click "Certificates" in folder below
echo * Select "All Tasks" -^> Import...
echo * Click [Next] and then browse to select the PEM file created by this batch file routine
echo * In following prompts, place PEM certificate in Trusted Root Certification Authorities Store
echo.
echo Press any key to continue to instructions for adding the PEM to Firefox.
pause
echo.
cls
echo In Firefox:
echo.
echo * Go to "about:preferences" in URL
echo * Search for "certificates"
echo * Click on [View Certificates]
echo * Click on "Authorities" tab
echo * Click on "Imports"
echo * Import the PEM file, checking all boxes to trust the certificate
echo * Click [OK] and you're done
echo.
echo When finished with this, run b.bat and follow its instructions at the end.
echo.

call unsetEnvironmentVariables


b.bat
Code: Select all
@echo off
rem This is B.BAT
cls
echo.
echo setEnvironmentVariables.bat is assumed to have been edited!

call setEnvironmentVariables

echo.
echo Creating localhost KEY file
openssl genrsa -out %HOSTFILE%.key 2048
echo.

echo.
echo Creating localhost CSR file
openssl req -new -key %HOSTFILE%.key -out %HOSTFILE%.csr -config %CONFIG%
echo.

echo.
echo Writing EXTFILE for last routine...
echo.
echo authorityKeyIdentifier=keyid,issuer > %EXTFILE%
echo basicConstraints=CA:FALSE >> %EXTFILE%
echo keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment >> %EXTFILE%
echo subjectAltName = @alt_names >> %EXTFILE%
echo.>> %EXTFILE%
echo [alt_names] >> %EXTFILE%
echo DNS.1 = %CN% >> %EXTFILE%
echo DNS.2 = 127.0.0.1 >> %EXTFILE%

echo.
echo Writing localhost CRT file
echo.
openssl x509 -req -passin pass:foobar -in %HOSTFILE%.csr -CA %CAFILE%.pem -CAkey %CAFILE%.key -CAcreateserial -out %HOSTFILE%.crt -days 3650 -sha256 -extfile %EXTFILE%
echo.

echo.
echo Next, edit Windows HOST and HTTPD-VHOSTS.CONF and copy files to Xampp/Apache.
echo Press any key to continue to instructions.
echo.
pause
cls
echo.
echo * Edit C:\Windows\System32\drivers\etc\hosts to include the localhost name specified in the PEM
echo * Edit C:\xampp\apache\conf\extra\httpd-vhosts.conf to include the localhost name specified in the PEM
echo * Copy the .KEY file created by this routine to C:\xampp\apache\conf\ssl.key
echo * Copy the .CRT file created by this routine to C:\xampp\apache\conf\ssl.crt
echo * Restart Xampp/Apache and you're done.

call unsetEnvironmentVariables


I hope this is helpful to someone. It has ended a 2-year-long headache for me.
TomXampp
 
Posts: 57
Joined: 12. March 2015 03:58
Operating System: Windows 8.1

Re: How to add subjectAltName values to server.crt?

Postby Altrea » 04. January 2019 02:02

Thank you for the update and sharing your solution with us.
It is most appreciated :)
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 9683
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 10 Pro x64

Re: How to add subjectAltName values to server.crt?

Postby kamm » 23. January 2019 08:26

@TomXampp

Thanks for providing these bat files. I'd also like to resolve the Firefox permanent exception problem too.

I'm using OpenSSL version 1.0.2j with Windows 8.1

Any idea why a.bat is failing?

Code: Select all
setEnvironmentVariables.bat is assumed to have been edited!
'setEnvironmentVariables' is not recognized as an internal or external command,
operable program or batch file.

Creating CA KEY file...

Generating RSA private key, 2048 bit long modulus
................................+++
...................+++
e is 65537 (0x10001)

Creating CA PEM file...

unknown option .pem
req [options] <infile >outfile
where options  are
 -inform arg    input format - DER or PEM
 -outform arg   output format - DER or PEM
 -in arg        input file
 -out arg       output file
 -text          text form of request
 -pubkey        output public key
 -noout         do not output REQ
 -verify        verify signature on REQ
 -modulus       RSA modulus
 -nodes         don't encrypt the output key
 -engine e      use engine e, possibly a hardware device
 -subject       output the request's subject
 -passin        private key password source
 -key file      use the private key contained in file
 -keyform arg   key file format
 -keyout arg    file to send the key to
 -rand file;file;...
                load the file (or the files in the directory) into
                the random number generator
 -newkey rsa:bits generate a new RSA key of 'bits' in size
 -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'
 -newkey ec:file generate a new EC key, parameters taken from CA in 'file'
 -[digest]      Digest to sign with (md5, sha1, md2, mdc2, md4)
 -config file   request template file.
 -subj arg      set or modify request subject
 -multivalue-rdn enable support for multivalued RDNs
 -new           new request.
 -batch         do not ask anything during request generation
 -x509          output a x509 structure instead of a cert. req.
 -days          number of days a certificate generated by -x509 is valid for.
 -set_serial    serial number to use for a certificate generated by -x509.
 -newhdr        output "NEW" in the header lines
 -asn1-kludge   Output the 'request' in a format that is wrong but some CA's
                have been reported as requiring
 -extensions .. specify certificate extension section (override value in config file)
 -reqexts ..    specify request extension section (override value in config file)
 -utf8          input characters are UTF8 (default ASCII)
 -nameopt arg    - various certificate name options
 -reqopt arg    - various request text options


Next, register the .PEM file with Windows and Firefox, then run b.bat.
Press any key to continue to instructions.

Press any key to continue . . .
kamm
 
Posts: 4
Joined: 20. November 2005 18:12

Re: How to add subjectAltName values to server.crt?

Postby TomXampp » 23. January 2019 08:56

@kamm It looks like you didn't copy the setEnvironmentVariables.bat file into the same directory along with the a.bat and b.bat files. See the second message in the text you reproduced: it says "setEnvironmentVariables is not recognized..." That would only display if a.bat or b.bat couldn't call (find) that batch file. So, put it in the same directory as a.bat and b.bat and run a & b again.
TomXampp
 
Posts: 57
Joined: 12. March 2015 03:58
Operating System: Windows 8.1

Re: How to add subjectAltName values to server.crt?

Postby TomXampp » 23. January 2019 08:59

Also, make sure to edit setEnvironmentVariables.bat appropriately, as indicated in the REM statements at its beginning.
TomXampp
 
Posts: 57
Joined: 12. March 2015 03:58
Operating System: Windows 8.1

Re: How to add subjectAltName values to server.crt?

Postby kamm » 27. January 2019 19:17

@TomXampp - Thanks for responding. I had a typo in my setEnvironmentVariables.bat filename :oops: , after fixing the batch files ran all OK.

My dev set-up is that I create domains for each project with subdomains for assets and other languages, so I have projects like this:

Code: Select all
example.test
static.example.test
es.example.test
fr.example.test

example2.test
static.example2.test
es.example2.test
fr.example2.test


Up until now I've been using these scripts which I've adapted for the extra subdomains:
https://shellcreeper.com/how-to-create-valid-ssl-in-localhost-for-xampp/

My adapted cert.conf
https://gist.github.com/dezertdezine/28dcb9e45428916757e5937ccc8c236a

make_cert.bat
https://gist.github.com/dezertdezine/968b3e2be1fedd6c190ae83ab1b70851

Then in httpd-vhosts.conf I have VirtualHosts like this (one per project):
Code: Select all
<VirtualHost example.test:443>
    DocumentRoot "E:/home/example/public_html"
    ServerName example.test
    ServerAlias *.example.test example.test
   SSLEngine on
   SSLCertificateFile "crt/example.test/example_server.crt"
    SSLCertificateKeyFile "crt/example.test/example_server.key"
        <Directory "E:/home/example/public_html">
            AllowOverride All
            Options All
            Require all granted
        </Directory>
</VirtualHost>


If you have time, can you explain how I can adapt your scripts for this type of set-up.
kamm
 
Posts: 4
Joined: 20. November 2005 18:12

Previous

Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 38 guests