I would like to ask how to generate end entity certificate based on my own CA root certificate? I've generated root CA this way:
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout example.key -out example.crt -subj /CN=MyCompany \
-addext subjectAltName=IP:192.168.100.82
openssl pkcs12 -export -out cert.pfx -inkey example.key -in example.crt
I have imported cer file to Windows Trusted Root Certification Authorities and pfx file into IIS Server Certificates.
It works well with Chrome, IE and Edge, but Firefox reports a problem with my cert: MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
I googled it and I learnt that I should have end-entity cert signed by my CA root cert. I was trying to generate end-entity cert with:
openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr -subj /CN=MyCompanyEE -addext subjectAltName=IP:192.168.100.82
openssl x509 -req -in server.csr -CA cert.pem -CAkey example.key -CAcreateserial -out server.crt -days 3650 -sha256
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt
OpenSSL response:
Signature ok
subject=CN = MyCompanyEE
Getting CA Private Key
I have imported server.pfx into IIS Server Certificates too, and changed bindings for my web app to use server cert, but now it doesn't work in either Firefox or Chrome.
Firefox says: SSL_ERROR_BAD_CERT_DOMAIN,
Chrome says: NET::ERR_CERT_COMMON_NAME_INVALID.
What I'm doing wrong?