This is a post on creating self signed certificates that include SAN ( Subject Alternative Name )
As of Google Chrome Version 58, if you do not have SAN in your self signed certificates, you will get an error similar to this
Subject Alternative Name Missing The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.
Certificate Error There are issues with the site’s certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).
So we are going to do these
- Make some config changes to openssl.cnf
- Re-generate SSL key and Certificates
- Update apache with the location to the new keys and restart apache
- Remove old trusted root cert from chrome and import the new one
I am doing this on CentOS 7 with the below openssl lib installed
- CentOS Linux release 7.3.1611 (Core)
- OpenSSL 1.0.1e-fips 11 Feb 2013
- OpenSSL config file: /etc/pki/tls/openssl.cnf
To make sure you are modifying the right config file, put some garbage into it and run the openssl command. It it fails, you got the right file.
Openssl Config changes
under [ CA_default ] section – un-comment
# Extension copying option: use with caution. copy_extensions = copy
under [ req ] section, check the value of x509_extensions ( mine says x509_extensions = v3_ca )
search for the [ v3_ca ] ( or whatever the section from x509_extensions ) and add the below line to it
subjectAltName = @alt_names
create a new section [alt_names] and put this ( change localhost.com to your local domain )
[alt_names] DNS.1 = localhost.com
if you want to use IP address instead of DNS name, then do the following
[alt_names] IP.1 = 192.168.10.19
save and exit
Re-generate SSL key and Certificates
openssl genrsa -out server.key 3072 # modify number of days as required and provide details of Country, CN etc openssl req -new -x509 -key server.key -sha256 -out certificate.pem -days 730 # You can check the certificate using openssl x509 -in certificate.pem -text -noout
You should be able to see below lines
Version: 3 (0x2)
X509v3 Subject Alternative Name:
- On chrome, go to settings, SSL and remove any previous certificates
- Then visit your site using https
- Chrome will throw a warning
- We need to add our self signed cert to Chromes Root authority so that chrome will trust it
- Press F12 – Security – View Certificate – Copy to File – Save it to your computer
- Go to Settings – SSL – Manage Certificates – Trusted Root Certificate Authorities – Import
- Import the certificate you just saved.
- Completely close chrome and open again and try the https site
- Try rebooting the machine if chrome still complains.
- If it still did not work, then something went wrong somewhere.
- Please see what OS and package versions you are using and check if the commands/paths require a change