I have followed the instructions (slightly edited on names) here: https://learn.microsoft.com/en-us/azure/application-gateway/self-signed-certificates with the following Code:
- openssl ecparam -out inboundkey.key -name prime256v1 -genkey
- openssl req -new -sha256 -key inboundkey.key -out rootcsr.csr
- openssl x509 -req -sha256 -days 365 -in rootcsr.csr -signkey inboundkey.key -out rootCA.crt
- openssl ecparam -out key.key -name prime256v1 -genkey
- openssl req -new -sha256 -key key.key -out csr.csr
- openssl x509 -req -in csr.csr -CA rootCA.crt -CAkey inboundkey.key -CAcreateserial -out certificate.crt -days 365 -sha256
But when I run openssl s_client -connect localhost:443 -servername [DOMAIN] -showcerts -CAfile ./rootCA.crt I get:
depth=1 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify return:1
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = mydomain.com
verify error:num=7:certificate signature failure
verify return:1
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = mydomain.com
verify return:1
What have I done wrong?? FYI I am only supplying a FQDN and Email address on some of the info required but nothing else.
In addition, I have run openssl verify -no-CAfile -no-CApath -trusted rootCA.crt certificate.crt which says certificate.crt: OK.
Whilst this answer isn’t generated with AI – I did use OpenAI in the finding of a solution.
My solution to this error was:
cat certificate.crt rootCA.crt > fullchain.crt- Update vhost to point to this fullchain.crt file
- Ran
openssl s_client -connect localhost:443 -servername my.domain -showcerts -CAfile ./rootCA.crtand no verify errors were reported
However (and I know this wasn’t in the Original question) I had hoped to use Self signed certs for Azure Front door. However unfortunately “Azure Front Door doesn’t support certificates with elliptic curve cryptography algorithms. Also, your certificate must have a complete certificate chain with leaf and intermediate certificates. The root CA also must be part of the Microsoft Trusted CA List.” [https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain?tabs=powershell].
Additionally I was able to access the SSL certificate (albeit reported as untrusted by Chrome) over my local VNET which showed the certificate was at least setup and used by Apache.