“Private key is missing or invalid when importing a certificate” in Google Chrome

Posted on

Problem :

I want to test my web app on https localhost. Unfortunately it seems impossible to remove certificate warning from chrome. First, I generated the certificate like this:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/localhost-selfsigned.key -out /etc/ssl/certs/localhost-selfsigned.crt

Then I wanted to add it to Chrome, settings > advanced > manage certificates -> import. I try to import the .crt file generated before and all I get is this:

Certificate import error: The Private Key for this Client Certificate is missing or invalid.

I googled it, but I found nothing helpful.

I have also tried to enable allow-insecure-localhost flag and open chrome with --ignore-certificate-errors but it still shows the warning and broken https

Are there any other ways or am I doing something wrong with the certificate?

Solution :

I think what you may be trying to do is add it to the wrong certificate store. If you’re attempting to add it under “Your Certificates”, you’re gonna have a bad time. That tab is for adding identity certificates; what your browser offers to the server to establish the browser’s identity.

What I think you want to do do, based on your description, is you want your browser to trust the self-signed cert that will be on your server end. If that’s the case, you need to add it in your “Authorities” tab.

What worked for me was

  • setting up a CA
  • signing my own certificate using this CA and then
  • importing the CA key into Chrome (Authorities).

I got the procedure from this answer on SO.

Since my specific issue was for catering for multilevel subdomains, I’ll look at it from that angle.


  • bar.fooz.mydomain.com
  • foo.fooz.mydomain.com
  1. Become a Certificate Authority
export CA=myca
# you probably want to have this in its own directory
mdkir /etc/ssl/$CA && cd /etc/ssl/$CA

# generate private key
openssl genrsa -des3 -out $CA.key 2048

# generate root certificate
openssl req -x509 -new -nodes -key $CA.key -sha256 -days 825 -out $CA.pem
  1. Create CA-signed certificates
export NAME=fooz.mydomain.com
# if CA files were in a separate directory
cd .. && mkdir /etc/ssl/$NAME && cd /etc/ssl/$NAME

# generate private key
openssl genrsa -out $NAME.key 2048

# Create a certificate-signing request
# Once prompted, set FQDN to the value of $NAME
openssl req -new -key $NAME.key -out $NAME.csr

# Create a config file for the extensions
>$NAME.ext cat <<-EOF
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
DNS.1 = $NAME # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
# Optionally, add additional domains (I've added a subdomain here)
DNS.2 = foo.$NAME
DNS.3 = bar.$NAME
IP.1 = # (Optional, but probably important), add an IP address (if the connection which you have planned requires it)

# Create the signed certificate
openssl x509 -req -in $NAME.csr -CA $CA.pem -CAkey $CA.key -CAcreateserial -out $NAME.crt -days 825 -sha256 -extfile $NAME.ext
  1. Download the $CA.pem file and import as an Authority in your browser:
    1. Chrome settings (Settings > Privacy and Security > Security > Manage certificates > Authorities > Import). Check Trust this certificate for identifying websites
    2. Firefox: Preferences > Privacy and Security > Certificates > View Certificates > Authorities > import. Check Trust this CA to identify websites
  1. Restart your browser (Firefox worked without the need for a restart)

Chrome expects a file in PKCS12 format file which is used to store the certificate, any intermediate certificate and the private key into single encryptable file. these files usually have the .p12 and .pfx extensions.

To generate one use the below command

openssl pkcs12 -export -inkey ./sample.key -in ./sample.crt -out ./sample.p12

This command will ask for a password which we need to remember and use it while importing the generated p12 file into chrome.

Leave a Reply

Your email address will not be published. Required fields are marked *