Menu
I followed this answer to make https://localhost:3000/ work in Chrome & Mac. Today, it suddenly does not work anymore.
https://localhost:3000 gives Not Secure:
Subject Alternative Name Missing The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address. I re-trusted this certificate by following the previous steps, which didn't help. Then I saw this answer, about remaking ssl keys.
So I made v3.ext:
authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = localhost Then,
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -sha256 -extfile v3.ext However, it returns
unknown option -extfile req [options] <infile >outfile where options are -inform arg input format - DER or PEM -outform arg output format - DER or PEM ... ... Does anyone know what's wrong with my openssl command?
Otherwise, does anyone know how to fix this Subject Alternative Name Missing or NET::ERR_CERT_COMMON_NAME_INVALID error?
Edit 1: I tried to follow this answer and here is my example-com.conf:
[ req ] default_bits = 2048 default_keyfile = server-key.pem distinguished_name = subject req_extensions = req_ext x509_extensions = x509_ext string_mask = utf8only # The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description). # Its sort of a mashup. For example, RFC 4514 does not provide emailAddress. [ subject ] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = NY localityName = Locality Name (eg, city) localityName_default = New York organizationName = Organization Name (eg, company) organizationName_default = Example, LLC # Use a friendly name here because its presented to the user. The server's DNS # names are placed in Subject Alternate Names. Plus, DNS names here is deprecated # by both IETF and CA/Browser Forums. If you place a DNS name here, then you # must include the DNS name in the SAN too (otherwise, Chrome and others that # strictly follow the CA/Browser Baseline Requirements will fail). commonName = Common Name (e.g. server FQDN or YOUR name) commonName_default = Example Company emailAddress = Email Address emailAddress_default = [email protected] # Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ... [ x509_ext ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer # You only need digitalSignature below. *If* you don't allow # RSA Key transport (i.e., you use ephemeral cipher suites), then # omit keyEncipherment because that's key transport. basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "OpenSSL Generated Certificate" # RFC 5280, Section 4.2.1.12 makes EKU optional # CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused # In either case, you probably only need serverAuth. # extendedKeyUsage = serverAuth, clientAuth # Section req_ext is used when generating a certificate signing request. I.e., openssl req ... [ req_ext ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "OpenSSL Generated Certificate" # RFC 5280, Section 4.2.1.12 makes EKU optional # CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused # In either case, you probably only need serverAuth. # extendedKeyUsage = serverAuth, clientAuth [ alternate_names ] DNS.1 = localhost # IPv4 localhost IP.1 = 127.0.0.1 # IPv6 localhost IP.2 = ::1 Then, I did
openssl req -config example-com.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout example-com.key.pem -days 365 -out example-com.cert.pem Reopen https://localhost:3000 in Chrome gives me
localhost uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH Can anyone help?
865
Yes, you need to include each of the subject alternate names and the subject/common name in the Subject Alternate Names section of the CSR. Some certificate authorities will allow you to update a certificate to add new SANs to it, but this always requires an updated CSR.
To add a Subject Alternative NameSelect SSL Certificates and then select Manage for the certificate you want to change. Select Change Subject Alternative Names. For Add a domain, enter the SAN you want to add and then select Add.
The Subject Alternative Name (SAN) is an extension to the X. 509 specification that allows users to specify additional host names for a single SSL certificate. The use of the SAN extension is standard practice for SSL certificates, and it's on its way to replacing the use of the common name.
The newest version of Google Chrome 58 requires that certificates specify the hostname(s) to which they apply in the SubjectAltName field. The error, Security certificate does not specify subject alternative names trigger if the certificate does not have the correct SubjectAlternativeName extension.
I suggest the following solution: create self-signed CA certificate and the web server certificate signed by this CA. When you install this small chain to your web server it will work with Chrome.
Create configuration file for your CA MyCompanyCA.cnf with contents (you can change it to your needs):
[ req ] distinguished_name = req_distinguished_name x509_extensions = root_ca [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, fully qualified host name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 [ root_ca ] basicConstraints = critical, CA:true Create the extensions configuration file MyCompanyLocalhost.ext for your web server certificate:
subjectAltName = @alt_names extendedKeyUsage = serverAuth [alt_names] DNS.1 = localhost DNS.2 = mypc.mycompany.com Then execute the following commands:
openssl req -x509 -newkey rsa:2048 -out MyCompanyCA.cer -outform PEM -keyout MyCompanyCA.pvk -days 10000 -verbose -config MyCompanyCA.cnf -nodes -sha256 -subj "/CN=MyCompany CA" openssl req -newkey rsa:2048 -keyout MyCompanyLocalhost.pvk -out MyCompanyLocalhost.req -subj /CN=localhost -sha256 -nodes openssl x509 -req -CA MyCompanyCA.cer -CAkey MyCompanyCA.pvk -in MyCompanyLocalhost.req -out MyCompanyLocalhost.cer -days 10000 -extfile MyCompanyLocalhost.ext -sha256 -set_serial 0x1111 As result you will get MyCompanyCA.cer, MyCompanyLocalhost.cer and MyCompanyLocalhost.pvk files that you can install to the web server.
How to check that it works with Chrome before installing certificates to the web server. Execute the following command on your local PC to run web server simulator:
openssl s_server -accept 15000 -cert MyCompanyLocalhost.cer -key MyCompanyLocalhost.pvk -CAfile MyCompanyCA.cer -WWW Then you can access this page at https://localhost:15000/ You will see an error that MyCompanyLocalhost.cer is not trusted, if you want to eliminate this error also - then install MyCompanyCA.cer to the certificate trusted list of your OS.
134
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
