130

Recently, Chrome has stopped working with my self signed SSL certs, and thinks they're insecure. When I look at the cert in the DevTools | Security tab, I can see that it says

Subject Alternative Name Missing The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.

Certificate Error There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).

How can I fix this?

jww
  • 97,681
  • 90
  • 411
  • 885
Brad Parks
  • 66,836
  • 64
  • 257
  • 336
  • 38
    How is this not a programming Question..... its about Self signing certificates which is a part of creating your Stack.,,, Thank you Brad – Sweet Chilly Philly Dec 14 '17 at 22:08
  • 2
    ***`CN=www.example.com`*** is probably wrong. Hostnames always go in the *SAN*. If its present in the *CN*, then it must be present in the *SAN* too (you have to list it twice in this case). For more rules and reasons, see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) You will also need to place the self-signed certificate in the appropriate trust store. – jww Dec 28 '17 at 00:15
  • @jww - this is not a duplicate of that question, as you don't have to create a cert using openssl, you can create it with other tools. – Brad Parks Dec 28 '17 at 12:32
  • 1
    @BradParks - Hmmm... The question was tagged OpenSSL and the accepted answer uses OpenSSL. I reopened and removed the OpenSSL tag. – jww Dec 28 '17 at 17:49

12 Answers12

122

To fix this, you need to supply an extra parameter to openssl when you're creating the cert, basically

-sha256 -extfile v3.ext

where v3.ext is a file like so, with %%DOMAIN%% replaced with the same name you use as your Common Name. More info here and over here. Note that typically you'd set the Common Name and %%DOMAIN%% to the domain you're trying to generate a cert for. So if it was www.mysupersite.com, then you'd use that for both.

v3.ext

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = %%DOMAIN%%

Note: Scripts that address this issue, and create fully trusted ssl certs for use in Chrome, Safari and from Java clients can be found here

Another note: If all you're trying to do is stop chrome from throwing errors when viewing a self signed certificate, you can can tell Chrome to ignore all SSL errors for ALL sites by starting it with a special command line option, as detailed here on SuperUser

Community
  • 1
  • 1
Brad Parks
  • 66,836
  • 64
  • 257
  • 336
  • 3
    Not sure which version of XAMPP you're using, but if you look for a line in that file that contains "openssl x509", you should be able to add the above to the end of that line in the file. For example, this version of [makecert.bat](https://sourceforge.net/p/xampp/code/HEAD/tree/win32/xampp/apache/makecert.bat#l9), has it on line 9, and would end up being: `bin\openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365 -sha256 -extfile v3.ext`. Of course you still need to save the `v3.ext ` to a file in the same folder. – Brad Parks May 07 '17 at 01:36
  • Thanks, it worked!! However as written on an answer below, I still get "NET::ERR_CERT_AUTHORITY_INVALID" I added the certificate as trusted root certificate as usual before but it didn't work. However “Subject Alternative Name Missing” problem is solved... – Tarik May 07 '17 at 13:36
  • @Tarik - can't say for sure as I'm not on Windows, but try using [the process detailed here](http://docs.mitmproxy.org/en/stable/certinstall.html) to import the file `privkey.pem` which I think is in your `xampp/apache` folder. That may fix your authority issue. – Brad Parks May 08 '17 at 16:29
  • Do you think the problem is related with the key file not matching the new certificate? But makecert.bat is using the key while making the certificate? See here: bin\openssl req -new -out server.csr bin\openssl rsa -in privkey.pem -out server.key bin\openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365 -sha256 -extfile v3.ext – Tarik May 08 '17 at 18:59
  • 1
    I gave up chrome after trying everything and continued with another browser. Few days later, today I checked with chrome and it works!!! Chrome probably had a bug and they fixed it. **Your method for Subject Alternative Name Missing works!!!!** Just add the certificated under trusted root certificates in browser. – Tarik May 11 '17 at 22:22
  • 45
    I am getting `unknown option -extfile`. How do I fix this? – Nick Manning Jun 15 '17 at 18:33
  • 2
    @NickManning - Maybe you're using the `extfile` directive in the wrong openssl command? Instead of it being used in `openssl req -new ...`, it is used in `openssl x509 -req ...`. At least that's what [someone here said](https://www.devside.net/wamp-server/generating-and-installing-wildcard-and-multi-domain-ssl-certificates), which seems true from [the example I have in another answer to a similar question of how to fully generate these certs](https://stackoverflow.com/a/43666288/26510) – Brad Parks Jun 15 '17 at 22:24
  • Thanks @BradParks...that looks like it is the problem. But now many of the other flags don't work, so I'll have to figure out how to rewrite the command in full (kinda hard since I have zero experience). I was doing `openssl req -new -x509 -key example.com.key -out example.com.cert -days 3650 -subj /CN=example.com` From http://ishan.co/ssl-vagrant-local – Nick Manning Jun 15 '17 at 22:36
  • Hmmm.... hard to say... If you're on a mac, you should be able to [try my way of generating the certs](https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate/43666288#43666288).... Which I actually use in exactly the same way as ishan.co does, which is kind of cool ;-) – Brad Parks Jun 15 '17 at 23:27
  • 3
    "supply an extra parameter to openssl" To which command specifically? There are multiple steps involved and this answer is too vague: https://www.ibm.com/support/knowledgecenter/en/SSWHYP_4.0.0/com.ibm.apimgmt.cmc.doc/task_apionprem_gernerate_self_signed_openSSL.html – user145400 Jul 18 '17 at 19:52
  • @user145400 - you can use the sample scripts linked at the bottom of the answer to see how this works in detail. It'd be something like the following, but requires more detail, which those scripts address: `openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout device.key -subj SUBJECT="/C=CA/ST=None/L=NB/O=None/CN=www.yourdomain.com" -out device.csr` – Brad Parks Jul 19 '17 at 11:43
  • I'm getting `error loading the config file 'v3.ext'` What could I do wrong? – Yajairo87 Aug 23 '18 at 18:09
  • @Yajairo87 - did you change the `DNS.1 = %%DOMAIN%%` line to whatever domain you're trying to create a cert for? – Brad Parks Aug 23 '18 at 18:11
48

Following solution worked for me on chrome 65 (ref) -

Create an OpenSSL config file (example: req.cnf)

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = www.company.com
[v3_req]
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.company.com
DNS.2 = company.com
DNS.3 = company.net

Create the certificate referencing this config file

openssl req -x509 -nodes -days 730 -newkey rsa:2048 \
 -keyout cert.key -out cert.pem -config req.cnf -sha256
Anshul
  • 9,312
  • 11
  • 57
  • 74
29

The Issue

As others have mentioned, the NET::ERR_CERT_COMMON_NAME_INVALID error is occurring because the generated certificate does not include the SAN (subjectAltName) field.

RFC2818 has deprecated falling back to the commonName field since May of 2000. The use of the subjectAltName field has been enforced in Chrome since version 58 (see Chrome 58 deprecations).

OpenSSL accepts x509v3 configuration files to add extended configurations to certificates (see the subjectAltName field for configuration options).

Bash Script

I created a self-signed-tls bash script with straightforward options to make it easy to generate certificate authorities and sign x509 certificates with OpenSSL (valid in Chrome using the subjectAltName field).

The script will guide you through a series of questions to include the necessary information (including the subjectAltName field). You can reference the README.md for more details and options for automation.

Be sure to restart chrome after installing new certificates.

chrome://restart

Other Resources

  • The Docker documentation has a great straightforward example for creating a self-signed certificate authority and signing certificates with OpenSSL.
  • cfssl is also a very robust tool that is widely used and worth checking out.
  • mkcert is a tool written in GoLang. It seems simple to use and great for local development.
Community
  • 1
  • 1
Logan
  • 607
  • 8
  • 7
  • 3
    You should add the script here and explain it. – jww Dec 28 '17 at 17:50
  • 1
    Seems like nice script. But a script does not (directly) supply a real answer as to what the OP's problem is. Maybe explain what his issue is as well. – B. Shea Jan 21 '19 at 21:19
6

Here is a very simple way to create an IP certificate that Chrome will trust.

The ssl.conf file...

[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no

[ req_distinguished_name ]
commonName                  = 192.168.1.10

[ req_ext ]
subjectAltName = IP:192.168.1.10

Where, of course 192.168.1.10 is the local network IP we want Chrome to trust.

Create the certificate:

openssl genrsa -out key1.pem
openssl req -new -key key1.pem -out csr1.pem -config ssl.conf
openssl x509 -req -days 9999 -in csr1.pem -signkey key1.pem -out cert1.pem -extensions req_ext -extfile ssl.conf
rm csr1.pem

On Windows import the certificate into the Trusted Root Certificate Store on all client machines. On Android Phone or Tablet download the certificate to install it. Now Chrome will trust the certificate on windows and Android.

On windows dev box the best place to get openssl.exe is from "c:\Program Files\Git\usr\bin\openssl.exe"

AQuirky
  • 4,691
  • 2
  • 32
  • 51
4

I simply use the -subj parameter adding the machines ip address. So solved with one command only.

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -sha256 -subj '/CN=my-domain.com/subjectAltName=DNS.1=192.168.0.222/' -keyout my-domain.key -out my-domain.crt

You can add others attributes like C, ST, L, O, OU, emailAddress to generate certs without being prompted.

Ludwig
  • 3,580
  • 2
  • 20
  • 24
  • 3
    doesn't work for. it seems chrome doesn't recognize **SAN** this way – mononoke Aug 31 '17 at 06:35
  • I got "problems making Certificate Request" on OpenSSL 1.1.0b using this command. – Rick Sep 25 '17 at 19:46
  • 1
    For me (Windows) worked a slightly different syntax: `openssl.exe req -x509 -sha256 -newkey rsa:2048 -keyout certificate.key -out certificate.crt -days 365 -nodes -subj "/CN=my.domain.com" -addext "subjectAltName=DNS:my.domain.com"` IIS then needs `*.pfx` format: `openssl.exe pkcs12 -export -out certificate.pfx -inkey certificate.key -in certificate.crt` – Štěpán Dec 13 '19 at 07:22
4

  • Make a copy of your OpenSSL config in your home directory:

    cp /System/Library/OpenSSL/openssl.cnf ~/openssl-temp.cnf

    or on Linux:

    cp /etc/ssl/openssl.cnf ~/openssl-temp.cnf

  • Add Subject Alternative Name to openssl-temp.cnf, under [v3_ca]:

    [ v3_ca ]
subjectAltName = DNS:localhost

    Replace localhost by the domain for which you want to generate that certificate.

  • Generate certificate:

    sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
    -config ~/openssl-temp.cnf
    -keyout /path/to/your.key -out /path/to/your.crt

You can then delete openssl-temp.cnf

Vic Seedoubleyew
  • 9,888
  • 6
  • 55
  • 76
4

I had so many issues getting self-signed certificates working on macos/Chrome. Finally I found Mkcert, "A simple zero-config tool to make locally trusted development certificates with any names you'd like." https://github.com/FiloSottile/mkcert

Anthony
  • 435
  • 5
  • 8
  • It works on my Windows 10 in new Chrome too. Though I had to copy .pem files from default Windows\system32 folder to another, because Nginx can't access this folder. – vatavale May 21 '20 at 19:57
1

I was able to get rid of (net::ERR_CERT_AUTHORITY_INVALID) by changing the DNS.1 value of v3.ext file

[alt_names] DNS.1 = domainname.com

Change domainname.com with your own domain.

Jun See
  • 11
  • 2
0

on MAC starting from chrome Version 67.0.3396.99 my self-signed certificate stopped to work.

regeneration with all what written here didn't work.

UPDATE

had a chance to confirm that my approach works today :). If it doesn't work for you make sure your are using this approach

v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = <specify-the-same-common-name-that-you-used-while-generating-csr-in-the-last-step>
$

copied from here https://ksearch.wordpress.com/2017/08/22/generate-and-import-a-self-signed-ssl-certificate-on-mac-osx-sierra/

END UPDATE

finally was able to see green Secure only when removed my cert from system, and added it to local keychain. (if there is one - drop it first). Not sure if it maters but in my case I downloaded certificate via chrome, and verified that create date is today - so it is the one I've just created.

hope it will be helpful for someone spend like a day on it.

never update chrome!

user2932688
  • 1,546
  • 11
  • 24
0

Updated June 2021 - Windows 10 - Chrome v91 answer is here

orszaczky
  • 13,301
  • 8
  • 47
  • 54
0

I was able to create a self-signed certificate that fixed that error using the following powershell command:

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt -subj "/C=$countryCode/ST=$stateCode/L=$city/O=$company/CN=$cn" -addext "subjectAltName=DNS:$cn"

where the powershell variables could be for example:

$countryCode: US

$stateCode: FL

$city: Miami

$company: NewCo

$cn: my.domain.here

and if you need to the PFX version of the cert (to use in nginx for example), just run this openssl command to convert the CRT create above to PFX:

openssl x509 -in server.crt -out server.pem
rsc
  • 10,348
  • 5
  • 39
  • 36
-2

If you want to run your server localhost, you need to setup CN = localhost and DNS.1 = localhost.

[req]
default_bits = 2048
default_md = sha256
distinguished_name = req_distinguished_name
prompt = no
prompt = no
x509_extensions = v3_req

[req_distinguished_name]
C = BR
CN = localhost
emailAddress=contact@example.com
L = Sao Paulo
O = example.com
OU = example.com
ST = Sao Paulo

[v3_req]
authorityKeyIdentifier = keyid, issuer
basicConstraints = CA:FALSE
extendedKeyUsage = serverAuth
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
Washington Botelho
  • 692
  • 7
  • 12