Creating self signed certificate for domain and subdomains - NET ERR CERT COMMON NAME INVALID

Question

I followed this tutorial for creating Signed SSL certificates on Windows for development purposes  and it worked great for one of my domains I m using hosts file to simulate dns   Then I  figured that I have a lot of subdomains  and that would be a pain in the ass to create a certificate for each of them  So I tried creating a certificate using wildcard in Common field as suggested in some of the answers at serverfault  Like this   Common Name    myserver net CN myserver net   However  after importing this certificate into Trusted Root Certification Authority  I m getting NET  ERR CERT COMMON NAME INVALID error in Chrome  for main domain and all of its subodmains  for example  https   sub1 myserver net and https   myserver net      This server could not prove that it is myserver net  its security certificate       is from   myserver net CN myserver net        This may be caused by a misconfiguration or an attacker intercepting your connection    Is there something wrong in Common Name field that is causing this error

User · Answer

If you re tired of this error  You can make Chrome not act out like this  I m not saying it s the best way just saying it s a way      As a workaround  a Windows registry key can be created to allow Google Chrome to use the commonName of a server certificate to match a hostname if the certificate is missing a subjectAlternativeName extension  as long as it successfully validates and chains to a locally-installed CA certificates       Data type  Boolean  Windows REG DWORD    Windows registry location  HKEY LOCAL MACHINE SOFTWARE Policies Google Chrome   Windows Mac Linux Android preference name  EnableCommonNameFallbackForLocalAnchors   Value  0x00000001  Windows   true Linux   true  Android     Mac    To create a Windows registry key  simply follow these steps       Open Notepad   Copy and paste the following content into notepad   Windows Registry Editor Version 5 00       HKEY LOCAL MACHINE SOFTWARE Policies Google Chrome     EnableCommonNameFallbackForLocalAnchors  dword 00000001   Go to File   Save as   Filename  any filename reg   Save as type  All Files      Select a preferred location for the file      Click on Save      Double click on the saved file to run      Click on Yes on the Registry Editor warning   Found this information on Symantec support page  https   support symantec com en US article TECH240507 html

User · Answer

Chrome 58 has dropped support for certificates without Subject Alternative Names   Moving forward  this might be another reason for you encountering this error

User · Answer

For everyone who is encountering this and wants to accept the risk to test it  there is a solution  go to Incognito mode in Chrome and you ll be able to open  Advanced  and click  Proceed to some url    This can be helpful if you need to check some website which you are maintaining yourself and just testing as a developer  and when you don t yet have proper development certificate configured    Of course this is NOT FOR PEOPLE using a website in production where this error indicates that there is a problem with website security

User · Answer

A workaround is to add the domain names you use as  subjectAltName   X509v3 Subject Alternative Name   This can be done by changing your OpenSSL configuration   etc ssl openssl cnf on Linux  and modify the v3 req section to look like this     v3 req      Extensions to add to a certificate request  basicConstraints   CA FALSE keyUsage   nonRepudiation  digitalSignature  keyEncipherment subjectAltName    alt names   alt names  DNS 1   myserver net DNS 2   sub1 myserver net   With this in place  not forget to use the -extensions v3 req switch when generating your new certificate   see also How can I generate a self-signed certificate with SubjectAltName using OpenSSL

User · Answer

Create openssl conf file    req  default bits   2048 default keyfile   oats key encrypt key   no utf8   yes distinguished name   req distinguished name x509 extensions   v3 req prompt   no   req distinguished name  C   US ST   Cary L   Cary O    BigCompany CN     myserver net   v3 req  keyUsage   critical  digitalSignature  keyAgreement extendedKeyUsage   serverAuth subjectAltName    alt names   alt names  DNS 1   myserver net DNS 2     myserver net   Run this comand   openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa 2048 -keyout app key -out app crt  -config openssl conf   Output files app crt and app key work for me

User · Answer

The answers provided did not work for me  Chrome or Firefox  while creating PWA for local development and testing  DO NOT USE FOR PRODUCTION  I was able to use the following    Online certificate tools site with the following options    Common Names  Add both the  localhost  and IP of your system e g  192 168 1 12 Subject Alternative Names  Add  DNS     localhost  and  IP     lt your ip here  e g  192 168 1 12 gt   CRS  drop down options set to  Self Sign  all other options were defaults  Download all links Import  p7b cert into Windows by double clicking and select  install   OSX  Linux  Added certs to node app    using Google s PWA example    add const https   require  https    const fs   require  fs    to the top of the server js file comment out return app listen PORT       gt            at the bottom of server js file add below https createServer   key  fs readFileSync    cert key   utf8    cert  fs readFileSync    cert crt   utf8    requestCert  false  rejectUnauthorized  false    app  listen PORT     I have no more errors in Chrome or Firefox

User · Answer

I think it may be a bug in chrome  There was a similar issue long back  See this   Try in a different browser  I think it should work fine

User · Answer

Your wildcard   example com does not cover the root domain example com but will cover any variant on a sub-domain such as www example com or test example com  The preferred method is to establish Subject Alternative Names like in Fabian s Answer but keep in mind that Chrome currently requires the Common Name to be listed additionally as one of the Subject Alternative Names  as it is correctly demonstrated in his answer   I recently discovered this problem because I had the Common Name example com with SANs www example com and test example com  but got the NET  ERR CERT COMMON NAME INVALID warning from Chrome  I had to generate a new Certificate Signing Request with example com as both the Common Name and one of the SANs  Then Chrome fully trusted the certificate  And don t forget to import the root certificate into Chrome as a trusted authority for identifying websites

User · Answer

As Rahul stated  it is a common Chrome and an OSX bug  I was having similar issues in the past  In fact I finally got tired of making the 2  yes I know it is not many  additional clicks when testing a local site for work As for a possible workaround to this issue  using Windows   I would using one of the many self signing certificate utilities available Recommended Steps    Create a Self Signed Cert Import Certificate into Windows Certificate Manager Import Certificate in Chrome Certificate ManagerNOTE  Step 3 will resolve the issue experienced once Google addresses the bug   considering the time in has been stale there is no ETA in the foreseeable future   As much as I prefer to use Chrome for development  I have found myself in Firefox Developer Edition lately  which does not have this issue Hope this helps

[ssl] Creating self signed certificate for domain and subdomains - NET::ERR_CERT_COMMON_NAME_INVALID

Examples related to ssl

Examples related to dns

Examples related to openssl

Examples related to windows-7-x64