LinuxSelf Signed Certificates ( with SAN )

Self Signed Certificates ( with SAN )

This is a post on creating self signed certificates that include SAN ( Subject Alternative Name )

As of Google Chrome Version 58, if you do not have SAN in your self signed certificates, you will get an error similar to this

Subject Alternative Name Missing The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.

Certificate Error There are issues with the site’s certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).

So we are going to do these

  • Make some config changes to openssl.cnf
  • Re-generate SSL key and Certificates
  • Update apache with the location to the new keys and restart apache
  • Remove old trusted root cert from chrome and import the new one

I am doing this on CentOS 7 with the below openssl lib installed

  • CentOS Linux release 7.3.1611 (Core)
  • OpenSSL 1.0.1e-fips 11 Feb 2013
  • OpenSSL config file:  /etc/pki/tls/openssl.cnf

To make sure you are modifying the right config file, put some garbage into it and run the openssl command. It it fails, you got the right file.

Openssl Config changes 

under [ CA_default ] section – un-comment

# Extension copying option: use with caution.
copy_extensions = copy

under [ req ] section, check the value of x509_extensions ( mine says x509_extensions = v3_ca )

search for the [ v3_ca ] ( or whatever the section from x509_extensions ) and add the below line to it

subjectAltName = @alt_names

create a new section [alt_names] and put this ( change to your local domain )

DNS.1 =

if you want to use IP address instead of DNS name, then do the following

IP.1 =

save and exit

Re-generate SSL key and Certificates 

openssl genrsa -out server.key 3072

# modify number of days as required and provide details of Country, CN etc
 openssl req -new -x509 -key server.key -sha256 -out certificate.pem -days 730

# You can check the certificate using
 openssl x509 -in certificate.pem -text -noout

You should be able to see below lines
Version: 3 (0x2)
X509v3 Subject Alternative Name:

Wrapping up

  • On chrome, go to settings, SSL and remove any previous certificates
  • Then visit your site using https
  • Chrome will throw a warning
  • We need to add our self signed cert to Chromes Root authority so that chrome will trust it
  • Press F12 – Security – View Certificate – Copy to File – Save it to your computer
  • Go to Settings – SSL – Manage Certificates – Trusted Root Certificate Authorities – Import
  • Import the certificate you just saved.
  • Completely close chrome and open again and try the https site
  • Try rebooting the machine if chrome still complains.
  • If it still did not work, then something went wrong somewhere.
  • Please see what OS and package versions you are using and check if the commands/paths require a change



Categories: Linux Tags: ,


No Comments Yet. Be the first?

Post a comment

Your email address will not be published. Required fields are marked *