6

As the titles says. I'm starting to add Service Workers to a site, and in order to work they require a valid SSL cert. I've had my local dev server delivering over https with a self-signed cert for a while, albeit with Chrome giving the "Not secure" message that I've just been ignoring until now. I've seen a lot of similar questions on here (using localhost), but nothing matching my exact setup (using virtual hosts on localhost), and nothing I've tried has worked.

I'll describe my setup:

  • This is for a local dev machine. I don't need anything super secure. I just need Chrome to trust it.
  • My dev stack is Apache on Windows 10 (running PHP and ColdFusion).
  • I have multiple sites set up locally (127.0.0.1) with Apache virtual hosts, e.g.:
  • To get https working on each of those I used the Win64 OpenSSL v.1.1.0e installer from Shining Light Productions and set up a certificate for each domain in my Apache httpd-vhosts.conf.
  • I used the following create my cert: openssl req –x509 –nodes -sha256 –days 3650 –newkey rsa:2048 –keyout michael.domain1.key –out michael.domain1.crt -subj "/C=US/ST=Michigan/L=SomeCity/O=CompanyName/OU=Dev/CN=michael.domain1.com"
  • I opened up the .crt file my virtual host is using and installed it to the Windows Trusted Root Certification Authorities.
  • (All of this up until this point has been working fine. I can access the site over https://michael.domain1.com, but I see Chrome's "Not secure" message.)

In Chrome Dev Tools Security tab, I have two errors:

  • Subject Alternative Name Missing: The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.
    • How do I add this? But also for my setup, what do I use for the value? Is it supposed to be michael.domain1.com?
  • Certificate Error: There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).
    • Is michael.domain1.com not the correct value for this? Am I adding it in the right place with my openssl command above?

Thank you.

jww
  • 97,681
  • 90
  • 411
  • 885
Michael
  • 2,546
  • 2
  • 20
  • 26
  • 1
    ***`CN=www.example.com`*** is probably wrong. Hostnames always go in the *SAN*. If its present in the *CN*, then it must be present in the *SAN* too (you have to list it twice in this case). For more rules and reasons, see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) You will also need to place the self-signed certificate in the appropriate trust store. – jww May 26 '17 at 12:36

1 Answers1

1

I finally got it! This somewhat buried comment by Drakes is what helped me generate proper cert files using a .sh file. I'm not exactly sure what did it for me in the end, but I did end up with slightly different named files than I had before. I now have michael.domain1.com.cer instead of michael.domain1.cer. The new cert file fixed the Subject Alternative Name Missing and the ERR_CERT_COMMON_NAME_INVALID errors in Chrome Dev Tools Security tab, but I did have a new error about it being an untrusted authority. I then imported the same file a couple different ways into the Trusted Root Authority using both Windows and Chrome itself (you can import them from Chrome under Settings > Advanced > Manager certificates > Import). After I rebooted Apache one final time and closed and reopened Chrome, everything worked.

Michael
  • 2,546
  • 2
  • 20
  • 26