Generation of the SelfSignedCertificate support only CN,O,C ???

[robertgregor]

Hi,
I am trying to generate the Self signed certificate, which will be trusted by the browser (Chrome, IE). I am able to generate the certificate, copied the certificate to the trusted root certificate store. But the browsers are still telling me, that the certificate can't be trusted.
Seems like, that it is because of missing SAN -> subjectAltName field in the certificate.
But when I tried to put it, the certificate is not generated and return the length 0.

Seems to me, that even, when I tried to add some other standard fields but, if something else is added to this list, CN=pirsensor.local,O=Remote%20Home,C=CZ

like i.e. CN=pirsensor.local,O=Robert,C=CZ,L=Prague it will always generate the certificate with the key 0 and signature 0, so no certificate generation.

And seems like, that the browser will accept the certificate only if the subjectAltName=pirsensor.local

Does anyone has any experience with it?

Robert

[fhessel]

Are you trying to generate the certificate by the script that's used for the examples or on the ESP32?

On the ESP32, I'm not sure if the string you put in there as distinguished name is even checked. However, I tried your suggestion on the latest version of the self-signed cert example, and only replaced the dn with CN=pirsensor.local,O=Robert,C=CZ,L=Prague. Generating the certificate worked without a problem (ESP32 WROOM module (so lowest RAM etc.), esp32dev board in PlatformIO):

Creating a new self-signed certificate.
This may take up to a minute, so be patient ;-)
Creating the certificate was successful
Setting up WiFi
.Connected. IP=192.168.0.42
Starting server...
Server ready.

Then I probed the certificate using OpenSSL:

[frank@frank-t14 ~]$ openssl s_client --connect 192.168.0.123:443 --showcerts
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = pirsensor.local, O = Robert, C = CZ, L = Prague
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = pirsensor.local, O = Robert, C = CZ, L = Prague
verify return:1
---
Certificate chain
 0 s:CN = pirsensor.local, O = Robert, C = CZ, L = Prague
   i:CN = pirsensor.local, O = Robert, C = CZ, L = Prague
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
---
Server certificate
subject=CN = pirsensor.local, O = Robert, C = CZ, L = Prague
issuer=CN = pirsensor.local, O = Robert, C = CZ, L = Prague
...

So for me, that seems to work. Did you check the return value of createSelfSignedCert? If it is !=0, some error ocured and the SSLCert will remain unchanged. Usually a memory issue, because that certificate generation really puts the ESP32 to its limits, memory-wise.

That would keep us with two issues:

• subjectAltName is missing
• Adding the CA to the trust root does not work

I agree with you that the subjectAltName field should be filled at least with the CN from the DN. I added that to the certificate generation code, the extension is now created based on what you pass as CN. Have a look at PR #113. If you still have problems to generating any cert at all, please check the return value of createSelfSignedCert against the error codes to see where it fails.

For the CA, maybe try again with the subjectAltName set, but self-signed certificates/CAs as trust root sometimes just don't work well. If it's a private deployment, using a tool like easy-rsa to manage a small CA is usually easier.