Creating self signed certificate for domain and subdomains - NET::ERR_CERT_COMMON_NAME_INVALID

Question

I followed this tutorial for creating Signed SSL certificates on Windows for development purposes, and it worked great for one of my domains(I'm using hosts file to simulate dns). Then I figured that I have a lot of subdomains, and that would be a pain in the ass to create a certificate for each of them. So I tried creating a certificate using wildcard in Common field as suggested in some of the answers at serverfault. Like this:

Common Name: *.myserver.net/CN=myserver.net 

However, after importing this certificate into Trusted Root Certification Authority, I'm getting NET::ERR_CERT_COMMON_NAME_INVALID error in Chrome, for main domain and all of its subodmains, for example: https://sub1.myserver.net and https://myserver.net.

This server could not prove that it is myserver.net; its security certificate is from *.myserver.net/CN=myserver.net.

This may be caused by a misconfiguration or an attacker intercepting your connection.

Is there something wrong in Common Name field that is causing this error?

Answer 1

Chrome 58 has dropped support for certificates without Subject Alternative Names.

Moving forward, this might be another reason for you encountering this error.

Answer 2

A workaround is to add the domain names you use as "subjectAltName" (X509v3 Subject Alternative Name). This can be done by changing your OpenSSL configuration (/etc/ssl/openssl.cnf on Linux) and modify the v3_req section to look like this:

[ v3_req ]  # Extensions to add to a certificate request  basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names  [alt_names] DNS.1 = myserver.net DNS.2 = sub1.myserver.net 

With this in place, not forget to use the -extensions v3_req switch when generating your new certificate. (see also How can I generate a self-signed certificate with SubjectAltName using OpenSSL?)