3

As of latest Chrome 60+, if there is no SAN, it throws ERROR on HTTPS pages. OpenSSL command line doesn't add these extension.

DarkGhostHunter
  • 1,521
  • 3
  • 12
  • 23

1 Answers1

7

Nevermind, figured out myself.

OpenSSL CLI allows -subj flag to set up information about the Certificate Authority (CA), but adding the Subject Alternative Names (SAN) cannot be done using the command line. So I had to resort to call -config followed by the file I want to load as simple configuration. For creating Self-Signed Certificates, this should suffice, but not for production:

# ./config/tiny_openssl.conf    
[CA_default]
copy_extensions = copy

[req]
default_bits = 4096
prompt = no
default_md = sha256
distinguished_name = req_distinguished_name
x509_extensions = v3_ca

[req_distinguished_name]
C = US
ST = Washington
L = Seattle
O = My Company
OU = IT Department
emailAddress = it@mycompany.com
CN = mycompany.com

[v3_ca]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names

[alternate_names]
DNS.1 = localhost
DNS.2 = *.localhost
DNS.3 = app.localhost
# ...

The [alternate_names] values must match with the url of the site (or sites) served under SSL by the generated certificate. Something like localhost or app.localhost can work. Then, we fire OpenSSL using this config.

$ openssl req -x509 -newkey rsa:4096 -sha256 -utf8 -days 365 -nodes \
    -config ./config/tiny_openssl.conf \
    -keyout ./certificates/private.key \
    -out ./certificates/ssl/certificate.crt

Added this .crt file in Windows 10 as a Trusted Root Certificate Authorities, restarted Chrome and the Web Server, and voilá.

If you are worried for performance in the HTTP transaction, you can change the rsa to 2048 bits.

This may work only for internal testing between a server and a browser. If you need a more complete and reliable solution with 100% valid SSL Certificates, you should make a CA, a CRS and then sign the CRS with that CA, that will come out a a valid self-signed certificate:

https://stackoverflow.com/a/21494483/647490

DarkGhostHunter
  • 1,521
  • 3
  • 12
  • 23
  • 1
    Thanks, this worked :) On Mac generate the .crt file like above, link in your https ssl config, restart you Apache. Then also double click the .crt file to "Add to Keychain", then double click the installed certificate and expand the "Trust" section and select "Always trust", restart chrome, and "voilá" – kontur Jan 24 '18 at 21:13
  • 1
    Here some of my lessons learned: if you got only one domain, you can use the syntax `subjectAltName = DNS:your.domain`. You can also also attach the `[ v3_ca ]` section to a copy of your openssl.cnf file; multiple section instances will then be merged. In answers at other places, the parameters `-extensions ... -extfile ...` are suggested as an alternative. However, this only works for `openssl ca`, but `openssl req` does not know `-extfile`. Thanks @DarkGhostHunter, I got it to work to self-sign my certificates on MacOS and use them in Chrome browser via the system cert store now. – Richard Kiefer Aug 07 '19 at 09:03