So with a self signed certificate, even when added to trusted CA on windows, it will not work with chrome?
If this is true why does it sometimes work?
To be honest, I don’t know why it sometimes works. Perhaps some bug on chrome?
The certificate should not be accepted, boith because it is a self signed certificate, and because it doesn’t have the CA: true basic constraints.
You shouldn’t add this certificate to the certificate store on windows, as it should contain only root CA certificates ( that you trust). The certificate you are sending is in fact a root certificate, but it is not a CA. In addition, the server certificate should not be the root CA certificate, but a unique certificate that this root certificate issued ( or its intermediate certificate)
Ron,
Thanks for your help. I tried generating and self signing keys and could not get it to work. Then I downloaded mkcert and was able to get everything working. For my development environment I followed the following steps below to create working keys.
Note that I found that would not have any failures if I use wget to download pages:
wget -e robots=off -r -np --page-requisites --no-check-certificate https://192.168.168.156/dashboard.html
I am still not sure why each browser was different behavior with self signed keys and why it would work sometimes. However with the mkcert fix it seems to have greatly improved. I am still wondering if there is some other error.
Thanks
Trampas
To install local development certificates please go through the instructions of installing GitHub - FiloSottile/mkcert: A simple zero-config tool to make locally trusted development certificates with any names you'd like.
For windows this involved installing
Once mkcert is installed then in an administrative powershell window type the following commands:
choco install mkcert
mkcert -install
mkcert -ecdsa 192.168.168.156
Where 192.168.168.156 is replaced with the IP address of the device. The mkcert will create two files:
The certificate is at “./192.168.168.156.pem” and the key at “./192.168.168.156-key.pem”
Hi Trampas,
I tried generating and self signing keys and could not get it to work.
I don’t understand why you wanted using a self signed certificate, as it is not within any trust model.
Note that I found that would not have any failures if I use wget to download pages:
Note that you added the parmater --no-check-certificate , so yes, this would work (not secure, but works)
I am still not sure why each browser was different behavior with self signed keys and why it would work sometimes.
Well, every browser has different implementation, so perhaps some are less restrictive. As for why it sometimes work, as mentioned, this puzzles me as well.
According to mkcert documentation, this tool generates and installs locally a CA certificate, and generates a certificate for you to use. THis is why iot works for you, as the generated certificate you are using is not self signed, but issued by the CA cewrtificate that was generated by mkcert and installed on your machine’s certificate store. Note this solution is good for local uses only, and will not work if you wish to create a server that will use remote clients.
Regards
If you do not use self signed certificates like mkcert creates how do you actually test during development that mbedtls works?
mkcert doesn’t create self signed certificates.
You can look at the Makefile that includes the commands used to generate certificate in the test environment.
You could also use the cert_write example application to generate certificates. For test purposes, you will need to generate a self signed CA certificate that will act as a CA root certificate. The key you used for this certificate will also be the issuer key that will be used for the cert_write example app. You will also need to supply your own key that will be the subject key
Regards