As of Chrome 58 it no longer accepts self-signed certs that rely on Common Name
: https://productforums.google.com/forum/#!topic/chrome/zVo3M8CgKzQ;context-place=topicsearchin/chrome/category$3ACanary%7Csort:relevance%7Cspell:false
Instead it requires using Subject Alt Name
. I have been previously following this guide on how to generate a self-signed cert: https://devcenter.heroku.com/articles/ssl-certificate-self which worked great because I required the server.crt
and server.key
files for what I'm doing. I now need to generate new certs that include the SAN
however all of my attempts to do so have not worked with Chrome 58.
Here is what I've done:
I followed the steps on the above mentioned Heroku article to generate the key. I then wrote a new OpenSSL config file:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = san
extensions = san
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = Massachusetts
localityName = Boston
organizationName = MyCompany
[ san ]
subjectAltName = DNS:dev.mycompany.com
Then generated the server.crt
with the following command:
openssl req \
-new \
-key server.key \
-out server.csr \
-config config.cnf \
-sha256 \
-days 3650
I'm on a Mac, so I opened the server.crt
file with Keychain, added it to my System Certificates. I then set it to Always Trust
.
With the exception of the config file to set the SAN value these were similar steps I used in prior versions of Chrome to generate and trust the self-signed cert.
However, after this I still get the ERR_CERT_COMMON_NAME_INVALID
in Chrome 58.
Best Answer
My solution:
Status: Works for me