Invalid self signed SSL cert - Subject Alternative Name Missing

Question

Recently  Chrome has stopped working with my self signed SSL certs  and thinks they re insecure  When I look at the cert in the DevTools   Security tab  I can see that it says     Subject Alternative Name Missing The certificate for this site does   not contain a Subject Alternative Name extension containing a domain   name or IP address       Certificate Error There are issues with the site s certificate chain    net  ERR CERT COMMON NAME INVALID     How can I fix this

User · Answer

Here is a very simple way to create an IP certificate that Chrome will trust.

The ssl.conf file...

[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no

[ req_distinguished_name ]
commonName                  = 192.168.1.10

[ req_ext ]
subjectAltName = IP:192.168.1.10

Where, of course 192.168.1.10 is the local network IP we want Chrome to trust.

Create the certificate:

openssl genrsa -out key1.pem
openssl req -new -key key1.pem -out csr1.pem -config ssl.conf
openssl x509 -req -days 9999 -in csr1.pem -signkey key1.pem -out cert1.pem -extensions req_ext -extfile ssl.conf
rm csr1.pem

On Windows import the certificate into the Trusted Root Certificate Store on all client machines. On Android Phone or Tablet download the certificate to install it. Now Chrome will trust the certificate on windows and Android.

On windows dev box the best place to get openssl.exe is from "c:\Program Files\Git\usr\bin\openssl.exe"

User · Answer

The Issue As others have mentioned  the NET  ERR CERT COMMON NAME INVALID error is occurring because the generated certificate does not include the SAN  subjectAltName  field  RFC2818 has deprecated falling back to the commonName field since May of 2000  The use of the subjectAltName field has been enforced in Chrome since version 58  see Chrome 58 deprecations   OpenSSL accepts x509v3 configuration files to add extended configurations to certificates  see the subjectAltName field for configuration options    Bash Script I created a self-signed-tls bash script with straightforward options to make it easy to generate certificate authorities and sign x509 certificates with OpenSSL  valid in Chrome using the subjectAltName field   The script will guide you through a series of questions to include the necessary information  including the subjectAltName field   You can reference the README md for more details and options for automation  Be sure to restart chrome after installing new certificates  chrome   restart   Other Resources  The Docker documentation has a great straightforward example for creating a self-signed certificate authority and signing certificates with OpenSSL  cfssl is also a very robust tool that is widely used and worth checking out

User · Answer

To fix this  you need to supply an extra parameter to openssl when you re creating the cert  basically -sha256 -extfile v3 ext where v3 ext is a file like so  with   DOMAIN   replaced with the same name you use as your Common Name   More info here and over here  Note that typically you d set the Common Name and   DOMAIN   to the domain you re trying to generate a cert for  So if it was www mysupersite com  then you d use that for both  v3 ext authorityKeyIdentifier keyid issuer basicConstraints CA FALSE keyUsage   digitalSignature  nonRepudiation  keyEncipherment  dataEncipherment subjectAltName    alt names   alt names  DNS 1     DOMAIN    Note  Scripts that address this issue  and create fully trusted ssl certs for use in Chrome  Safari and from Java clients can be found here Another note  If all you re trying to do is stop chrome from throwing errors when viewing a self signed certificate  you can can tell Chrome to ignore all SSL errors for ALL sites by starting it with a special command line option  as detailed here on SuperUser

User · Answer

I had so many issues getting self-signed certificates working on macos Chrome  Finally I found Mkcert   A simple zero-config tool to make locally trusted development certificates with any names you d like   https   github com FiloSottile mkcert

User · Answer

Following solution worked for me on chrome 65  ref  -   Create an OpenSSL config file  example  req cnf    req  distinguished name   req distinguished name x509 extensions   v3 req prompt   no  req distinguished name  C   US ST   VA L   SomeCity O   MyCompany OU   MyDivision CN   www company com  v3 req  keyUsage   critical  digitalSignature  keyAgreement extendedKeyUsage   serverAuth subjectAltName    alt names  alt names  DNS 1   www company com DNS 2   company com DNS 3   company net   Create the certificate referencing this config file  openssl req -x509 -nodes -days 730 -newkey rsa 2048    -keyout cert key -out cert pem -config req cnf -sha256

User · Answer

Make a copy of your OpenSSL config in your home directory   cp  System Library OpenSSL openssl cnf   openssl-temp cnf   or on Linux   cp  etc ssl openssl cnf   openssl-temp cnf  Add Subject Alternative Name to openssl-temp cnf  under  v3 ca      v3 ca   subjectAltName   DNS localhost   Replace localhost by the domain for which you want to generate that certificate  Generate certificate   sudo openssl req -x509 -nodes -days 365 -newkey rsa 2048       -config   openssl-temp cnf     -keyout  path to your key -out  path to your crt    You can then delete openssl-temp cnf

User · Answer

I simply use the -subj parameter adding the machines ip address  So solved with one command only   sudo openssl req -x509 -nodes -days 3650 -newkey rsa 2048 -sha256 -subj   CN my-domain com subjectAltName DNS 1 192 168 0 222   -keyout my-domain key -out my-domain crt   You can add others attributes like C  ST  L  O  OU  emailAddress to generate certs without being prompted

User · Answer

on MAC starting from chrome Version 67 0 3396 99 my self-signed certificate stopped to work   regeneration with all what written here didn t work   UPDATE  had a chance to confirm that my approach works today     If it doesn t work for you make sure your are using this approach  v3 ext authorityKeyIdentifier keyid issuer basicConstraints CA FALSE keyUsage   digitalSignature  nonRepudiation  keyEncipherment  dataEncipherment subjectAltName    alt names   alt names  DNS 1    lt specify-the-same-common-name-that-you-used-while-generating-csr-in-the-last-step gt      copied from here https   ksearch wordpress com 2017 08 22 generate-and-import-a-self-signed-ssl-certificate-on-mac-osx-sierra   END UPDATE  finally was able to see green Secure only when removed my cert from system  and added it to local keychain   if there is one - drop it first   Not sure if it maters but in my case I downloaded certificate via chrome  and verified that create date is today - so it is the one I ve just created   hope it will be helpful for someone spend like a day on it   never update chrome

User · Answer

I was able to get rid of  net  ERR CERT AUTHORITY INVALID  by changing the DNS 1 value of v3 ext file    alt names  DNS 1   domainname com  Change domainname com with your own domain

User · Answer

If you want to run your server localhost  you need to setup CN   localhost and DNS 1   localhost   req  default bits   2048 default md   sha256 distinguished name   req distinguished name prompt   no prompt   no x509 extensions   v3 req   req distinguished name  C   BR CN   localhost emailAddress contact example com L   Sao Paulo O   example com OU   example com ST   Sao Paulo   v3 req  authorityKeyIdentifier   keyid  issuer basicConstraints   CA FALSE extendedKeyUsage   serverAuth keyUsage   digitalSignature  nonRepudiation  keyEncipherment  dataEncipherment subjectAltName    alt names   alt names  DNS 1   localhost

[google-chrome] Invalid self signed SSL cert - "Subject Alternative Name Missing"

Examples related to google-chrome

Examples related to ssl

Examples related to https

Examples related to pkix