0

I have a .csr certificate signed by a trusted CA (DigiCert). When I create a Tomcat Connector with this certificate locally and go to 127.0.0.1 then the browser answers the connection is unsecure. The certificate is visible in browser. I expected that browsing https://127.0.0.1:9000, I would see the 'green' connection.

Could you please explain how I can test this certificate locally? I want to see the 'green' connection in the browser locally.

Eugène Adell
  • 2,644
  • 2
  • 14
  • 30
Dron4K
  • 336
  • 1
  • 4
  • 16
  • What is the CNAME the certificate is issued on? – akortex91 Mar 04 '18 at 16:07
  • Aris, denasales.com – Dron4K Mar 04 '18 at 16:13
  • 1
    Then you have to use the domain name instead of the address. The certificate is issued on this domain, hence when you try to access it via the localhost IP you get the 'insecure connection'. As mentioned in the below answer you can bypass this via adding a new line in your hosts file mapping your localhost IP to the domain the certificate's issued on. – akortex91 Mar 04 '18 at 16:17

1 Answers1

3

Your certificate is not signed for 127.0.0.1 but for an FQDN (a domain name such as example.com).

Edit your hosts file (/etc/hosts on Linux, on Windows it's c:\Windows\System32\drivers\etc\hosts), and add a line corresponding to your certificate's FQDN, such as 127.0.0.1 example.com

jww
  • 83,594
  • 69
  • 338
  • 732
Eugène Adell
  • 2,644
  • 2
  • 14
  • 30
  • I'm probably splitting hairs... A FQDN ends in a dot ("***.***"). It denotes the top of the DNS tree. What you have shown is just a DNS name. The DNS name can have search domains added to them by the resolver. A FQDN will not because it is already at the top of the tree. – jww Mar 04 '18 at 16:33
  • @jww I don't in which RFC it's clearly defined. Appart from certificates, 2396 says "The rightmost domain label of a fully qualified domain name will never start with a digit, thus syntactically distinguishing domain names from IPv4 addresses, and may be followed by a single "." if it is necessary to distinguish between the complete domain name and any local domain" – Eugène Adell Mar 04 '18 at 19:36
  • 1
    Check W. Richard Stevens [TCP/IP Illustrated](https://www.amazon.com/dp/0201633469). I think WIkipedia even states it, but Stevens is who I would consider the authoritative source. – jww Mar 04 '18 at 19:59