Internet Explorer 10 not accepting self signed Root CA

Question

On a linux box, I have generated my Root CA and client certs using the following commands:

openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 20000 -out rootCA.pem
openssl genrsa -out myserver.key 2048
openssl req -new -key myserver.key -out myserver.csr
openssl x509 -req -in myserver.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out myserver.crt -days 365 -sha256

I have installed the rootCA.pem file on a Windows 7 box successfully via the MMC console; no errors reported; the root cert is listed under the Trusted Root Certification Authorities area.

When I go to visit the site, Internet Explorer 10 does not give me an option to "Continue to this website", but I have an RSA key of 2048 bits.

To clarify the question, in case it is not clear by the title of the post: "how can I get IE10 to accept a self signed root CA (generated using the method described) that has 2048 bit RSA?"

Firefox on the Win7 box, and Chrome on a linux box, produce no issues, since I have added the rootCA.pem file to their list of trusted authorities.

However, Chrome and IE on the Win7 box both produce issues because they use the Windows cert authority lists.

The rootCA is good because both Chrome on linux and Firefox on windows have no issues with it. And it is not related to the well-documented issue of having an RSA strength of less than 1024 bits.

I have also added the server to the list of 'trusted' sites in IE10, and still get the issue.

Multiple restarts involved, of course, per Windows SOP.

Actual contents of the rootCA:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 14306283983041559779 (0xc68a217c110d7ce3)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=New York, L=New York, O=Widgets, Inc., CN=server1.widgets.com
        Validity
            Not Before: Mar 11 22:41:43 2016 GMT
            Not After : Dec 13 22:41:43 2070 GMT
        Subject: C=US, ST=New York, L=New York, O=Widgets, Inc., CN=server1.widgets.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ef:2a:75:c1:e1:a4:07:c3:27:46:94:49:2f:2a:
                    27:0c:6d:33:d7:4c:84:ee:59:d0:83:18:10:c8:f9:
                    7e:8f:4e:19:ef:c3:6f:04:a7:a3:b2:9f:6f:03:de:
                    fb:9a:f6:17:4e:87:8c:29:93:9b:a3:52:63:19:29:
                    93:1e:cc:a0:22:fe:4e:7c:00:83:8f:82:c3:83:f1:
                    65:9d:2b:5e:b4:9e:4f:cc:29:62:a6:5f:5e:11:51:
                    99:2b:55:55:6b:17:13:6c:30:14:44:6f:a7:42:d0:
                    16:2b:02:76:5c:ae:76:4a:2b:60:b2:ea:1f:64:61:
                    09:8a:c6:9f:23:ef:85:82:c6:fb:f6:7d:ce:b4:c2:
                    a3:89:f8:98:79:f8:6a:df:6a:c5:44:75:41:f2:11:
                    7c:94:32:82:00:fd:ae:d4:ef:51:0f:7f:bc:2a:25:
                    d6:b3:53:fd:3f:13:21:7c:e0:d6:b7:87:5f:09:19:
                    79:7c:2f:cc:b1:c1:a2:49:bb:17:62:8f:e3:cd:db:
                    99:6a:2b:fc:d3:f8:9a:58:2d:0c:d0:bd:21:a1:2e:
                    64:f7:c0:84:7d:48:53:94:62:79:c4:bf:51:ba:04:
                    9e:1a:15:3e:a8:ec:3d:c2:c9:05:ed:67:dc:c0:ef:
                    6d:e0:fa:a7:0e:56:51:f7:7b:dd:1c:a4:88:f0:f4:
                    50:17
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                E9:F3:EC:16:D9:48:85:EC:29:E8:DB:8A:CD:1E:76:F2:37:9F:AA:F1
            X509v3 Authority Key Identifier:
                keyid:E9:F3:EC:16:D9:48:85:EC:29:E8:DB:8A:CD:1E:76:F2:37:9F:AA:F1

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         78:68:8d:e6:13:35:ba:60:05:7c:e5:c6:0e:2b:83:5c:3c:5d:
         ec:12:c2:6e:b5:a9:40:56:51:79:b2:50:75:5b:c5:88:05:71:
         27:3b:49:b0:de:16:9c:71:d2:9d:a2:84:6a:e3:91:4f:65:99:
         d3:e9:67:87:de:32:c9:d0:71:b1:8b:33:49:52:bd:be:63:bb:
         cf:7c:09:df:1e:a2:c4:62:c5:a3:74:b4:1e:13:b7:8a:7b:db:
         b7:76:36:d8:14:2c:07:b7:00:ba:9b:65:d3:22:9e:19:41:ee:
         b9:df:f5:bf:bf:76:8a:0f:68:b3:8a:09:69:ed:24:65:cc:95:
         1d:4f:05:91:20:9e:9c:7d:66:4f:57:2b:c4:c7:47:97:64:de:
         9c:10:93:30:8b:61:ea:49:5b:a7:98:fd:b7:cc:c8:8f:25:1c:
         9b:0a:49:b3:69:dc:20:dc:92:9a:01:a9:ed:9b:df:c6:65:c4:
         87:cb:07:f7:b1:53:f0:27:00:e5:d8:17:b7:0c:17:eb:6b:86:
         20:0a:97:dd:69:55:5e:02:cc:29:96:eb:64:3e:53:8c:4c:13:
         fb:10:01:e1:19:47:70:b8:54:34:b9:f1:fd:74:14:6f:e9:88:
         fb:18:13:99:31:21:f0:94:e0:b3:a1:92:ed:46:57:85:e6:33:
         b1:1d:5b:9f

Actual contents of the server certificate:

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 11316521565276697315 (0x9d0c5c67f75d72e3)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=New York, L=New York, O=Widgets, Inc., CN=server1.widgets.com  
        Validity
            Not Before: Mar 11 22:43:35 2016 GMT
            Not After : Mar 11 22:43:35 2017 GMT
        Subject: C=US, ST=New York, L=New York, O=Widgets, Inc., CN=server1.widgets.com 
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c8:4d:ab:c9:62:b2:a8:ab:56:30:b7:26:da:d4:
                    1a:e5:9e:eb:77:81:3e:04:62:cd:a9:d7:65:1a:f4:
                    0b:8c:b0:c4:e4:c6:e4:4c:0e:43:3f:3f:a7:67:2d:
                    a2:4b:96:54:16:b0:cc:a2:91:f0:df:f9:6c:7f:1d:
                    49:bf:8d:0b:0a:ce:1c:0b:30:8a:2a:c6:85:07:b8:
                    4e:3d:a1:52:ab:cd:7e:fa:86:b2:21:e0:f3:90:f1:
                    78:a1:96:6e:53:17:82:bb:fd:10:48:cc:87:7f:4c:
                    22:d1:79:4f:77:fe:c7:48:9b:80:b3:c9:c6:46:87:
                    1d:01:6e:ae:47:14:fd:84:ac:bd:06:44:68:17:16:
                    b5:05:76:d4:e1:76:49:65:87:bd:05:61:05:3f:5b:
                    2c:7a:e5:43:a8:89:58:95:35:ec:68:6f:66:b8:29:
                    34:ff:77:cf:2b:26:99:0e:44:d3:94:24:bd:a2:fd:
                    ed:c3:df:f4:23:31:bf:48:0c:49:1a:95:07:11:29:
                    de:1f:c3:93:e2:99:60:a5:1e:e1:3e:a1:a2:f6:41:
                    17:f8:c5:e0:3f:98:87:b2:bb:07:9b:aa:73:b0:94:
                    c3:ab:27:bb:76:5c:57:f4:3e:36:02:80:92:af:ed:
                    e0:8e:f2:61:f6:22:ba:99:d4:35:a7:40:ac:4f:e0:
                    93:2b
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         c1:99:9b:b5:b2:d6:d9:c5:0d:1f:6d:db:73:34:f5:61:ea:b6:
         27:c5:d9:72:56:87:1a:60:8c:af:a4:b4:46:5c:b1:4d:cb:d6:
         21:a5:32:17:48:ea:ee:d6:cb:1e:78:cd:03:aa:16:57:09:cc:
         d2:d9:fa:b1:c1:7c:71:e2:cf:dd:32:e6:f0:cb:ca:1a:72:b0:
         79:9a:de:45:f9:f2:36:4c:d1:f4:78:e7:0c:b8:02:ac:71:07:
         d5:2a:22:90:62:ba:13:bc:2f:70:b2:b8:94:ce:e5:e3:46:b3:
         81:ac:05:25:05:76:d7:f5:74:f7:e8:11:05:ed:f0:22:1f:a5:
         a0:e7:81:2a:88:eb:5b:d3:1e:a5:bc:5b:2b:0e:b9:b1:c7:10:
         0a:d6:ec:23:a0:d5:4f:54:f8:08:e5:5a:9d:2c:3d:e6:bd:17:
         fa:7d:46:b2:33:96:5c:d7:84:47:a3:04:cf:be:e2:16:1f:f3:
         d9:df:1a:22:4a:80:ec:8b:30:72:62:2d:00:04:db:21:85:a8:
         57:7d:ff:f8:95:c9:6e:4a:d3:d8:32:f0:62:55:a1:b2:8e:88:
         dd:13:1c:ef:18:17:da:46:8b:3e:f7:cb:91:1a:84:2f:02:8a:
         8f:af:21:86:c3:f8:5c:67:ed:8d:c4:55:7c:7f:6b:98:ae:7b:
         f3:41:a7:e3

Answer 1

Your server certificate is malformed:

Version: 1 (0x0)
Serial Number: 11316521565276697315 (0x9d0c5c67f75d72e3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=New York, L=New York, O=Widgets, Inc., CN=server1.widgets.com
Subject: C=US, ST=New York, L=New York, O=Widgets, Inc., CN=server1.widgets.com 

First, Version 1 is unusual, and it should be Version 3. You need Version 3 for Basic Constraints and CA=false.

Second, its not certified by your internal CA. Based on the Distinguished Names, it appears to be self signed.

Third, it its missing the server names in the Subject Alternate Name (SAN). The browsers follow the CA/Browser Baseline Requirements, and all server names are placed in the SAN.

You never place a server name in the Common Name (CN). The CN is displayed to the user, so it should be a friendly name "Widgets Web Service" (and the CA's CN would be "Widgets, Inc.").

Also see the following on Stack Overflow:

• How do you sign Certificate Signing Request with your Certification Authority?
• How to create a self-signed certificate with openssl?

Both answers examine the issuing rules and policies for the IETF and CA/B in detail. Both also explain how to create a certificates that are likely to be accepted by the largest number of user agents.

---

Regarding this statement:

You never place a server name in the Common Name (CN).

The web is polluted with bad advice when it comes to the CN and SAN. Don't follow it.

Always follow:

• CN - friendly names ("Widgets Web Services")
• SAN - server names (widgets.example.com, ftp.example.com, mail.example.com, etc)

If you follow those two rules, most of the problems with browsers and certificates go away. The problems will usually reduce to trust (as opposed to unexplained name matching failures).

Answer 2

I got this to work by creating a rootCA with a different name than the server identified in the server cert. Instead of using server1.widgets.com as the CN in the rootCA, I used Widgets Dev as the CN. I installed that rootCA in the Windows 7 box via the MMC console. Then I created the server cert using server1.widgets.com as the CN and installed that on the server.

Note that I did not have to convert the rootCA from .pem format in order for the import to be successful on the Windows box.

Full contents of the altered rootCA below:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 11541727865071105011 (0xa02c7457b3ca73f3)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=New York, L=New York, O=Widgets, Inc., OU=Widgets Dev, CN=Widgets Dev
        Validity
            Not Before: Mar 12 14:47:54 2016 GMT
            Not After : Dec 14 14:47:54 2070 GMT
        Subject: C=US, ST=New York, L=New York, O=Widgets, Inc., OU=Widgets Dev, CN=Widgets Dev
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ef:2a:75:c1:e1:a4:07:c3:27:46:94:49:2f:2a:
                    27:0c:6d:33:d7:4c:84:ee:59:d0:83:18:10:c8:f9:
                    7e:8f:4e:19:ef:c3:6f:04:a7:a3:b2:9f:6f:03:de:
                    fb:9a:f6:17:4e:87:8c:29:93:9b:a3:52:63:19:29:
                    93:1e:cc:a0:22:fe:4e:7c:00:83:8f:82:c3:83:f1:
                    65:9d:2b:5e:b4:9e:4f:cc:29:62:a6:5f:5e:11:51:
                    99:2b:55:55:6b:17:13:6c:30:14:44:6f:a7:42:d0:
                    16:2b:02:76:5c:ae:76:4a:2b:60:b2:ea:1f:64:61:
                    09:8a:c6:9f:23:ef:85:82:c6:fb:f6:7d:ce:b4:c2:
                    a3:89:f8:98:79:f8:6a:df:6a:c5:44:75:41:f2:11:
                    7c:94:32:82:00:fd:ae:d4:ef:51:0f:7f:bc:2a:25:
                    d6:b3:53:fd:3f:13:21:7c:e0:d6:b7:87:5f:09:19:
                    79:7c:2f:cc:b1:c1:a2:49:bb:17:62:8f:e3:cd:db:
                    99:6a:2b:fc:d3:f8:9a:58:2d:0c:d0:bd:21:a1:2e:
                    64:f7:c0:84:7d:48:53:94:62:79:c4:bf:51:ba:04:
                    9e:1a:15:3e:a8:ec:3d:c2:c9:05:ed:67:dc:c0:ef:
                    6d:e0:fa:a7:0e:56:51:f7:7b:dd:1c:a4:88:f0:f4:
                    50:17
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                E9:F3:EC:16:D9:48:85:EC:29:E8:DB:8A:CD:1E:76:F2:37:9F:AA:F1
            X509v3 Authority Key Identifier:
                keyid:E9:F3:EC:16:D9:48:85:EC:29:E8:DB:8A:CD:1E:76:F2:37:9F:AA:F1

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         d0:e1:08:6b:4a:19:3e:29:06:27:fd:79:00:ed:a3:31:50:24:
         be:99:67:c7:a7:d3:4a:fa:6e:f0:a0:b6:97:67:b2:c0:ce:a9:
         4a:8c:d4:de:ee:be:9e:cb:53:33:c3:4e:ee:7a:21:e2:3d:5a:
         8d:f8:23:77:65:34:9f:f1:f7:1a:d3:c5:4b:b2:80:eb:06:22:
         4a:8c:94:86:b5:1b:db:2f:48:ab:55:5f:d3:7c:74:22:8e:dd:
         b1:64:1b:5a:ce:f5:ee:f3:10:d7:8e:28:d7:6a:35:e7:1f:9a:
         a9:9e:56:54:93:2e:a1:fb:e4:6c:88:57:56:73:f9:94:c4:96:
         bc:b7:08:4b:df:e8:80:a4:25:01:0e:07:c1:1b:68:d6:51:3f:
         5f:4e:0f:a9:22:f4:22:38:a8:d5:8b:fe:2a:19:2e:ed:0e:c0:
         c9:bd:b3:1a:49:a5:69:32:ad:54:2c:19:17:57:0d:9c:93:86:
         3e:51:77:e7:15:38:d3:90:13:7b:0e:db:75:45:1f:28:9d:ab:
         5a:90:3f:3d:6c:34:37:ca:e0:ac:fd:8e:33:03:42:00:03:c7:
         5b:9c:c1:ce:55:57:b4:67:f8:81:55:2c:9d:e6:2a:c9:44:74:
         22:4a:87:0f:fd:bf:a9:57:d5:88:79:b7:a9:a8:57:14:00:e3:
         16:af:0a:e1

Answer 3

Use "Manage user certificates" or "Manage computer certificates" (search control panel) and import it into "Trusted root certificates"

I think you can't directly import a .pem file try converting it into .crt or in PKCS12 if you are trying to import a key.