A certificate has two functions:
- It's a way of handing out public cryptographic keys
- The recipient of a certificate can confirm the identity (subject) in the certificate by checking the signature using the issuer's public key
Chrome is complaining about not trusting the issuer while trying to validate the certificate (item
[2]), since it doesn't actually have the public key of the issuer in its database of trusted Certificate Authorities. The reason is most likely that the certificate is self-signed.
The java command you ran has generated a Certificate Signing Request (CSR) containing a public key (and hopefully stored the corresponding private key in a separate file). This is useful if the certificate is related to an identity (e-mail address) or Internet domain which you actually own and control, and you want a third party to sign your key and create a signed certificate which can then be validated by others trusting that same third party.
If this is the route you want to take, you'll need to contact one of the many CAs participating in the Internet Public Key Infrastructure (PKI), like Verisign (Symantec), GoDaddy, RapidSSL, Thawte, Equifax etc. For a fee, the CA will validate your identity and issue a signed certificate based on either the
.pem or
.der file (it's just two files containing the same CSR in different formats).
However, if you just want one particular instance of Chrome to accept the self-signed certificate you already have, you can just manually import the certificate into the "Trusted Root CAs" certificate store on the client.