Chrome 58+ requires Subject Alternative Name to be present in the SSL certificate for the domain name you want to secure. This is supposed to be a replacement for Common Name, which has some security holes (like being able to define a certificate for *.co.uk, which is not possible with SAN).
I’ll be using MacOS and OpenSSL v1.1.1d installed via brew.
Recent OpenSSL versions add the basicConstraints=critical,CA:TRUE x509v3 SAN extension by default, which prevents such generated certificate to work in Chrome 58+. We need to disable that first.
Edit /usr/local/etc/openssl@1.1/openssl.cnf (your path may vary) and comment the following line:
[ req ]
# x509_extensions = v3_ca # The extensions to add to the self signed certAnd then you are off to generate the certificate. I’ll be using the *.example.net domain name here.
/usr/local/Cellar/openssl@1.1/1.1.1d/bin/openssl req \
-x509 \
-newkey rsa:4096 \
-sha256 \
-days 7000 \
-nodes \
-out cert.pem \
-keyout key.pem \
-subj "/C=US/O=Org/CN=*.example.net" \
-addext "basicConstraints=critical,CA:FALSE" \
-addext "authorityKeyIdentifier=keyid,issuer" \
-addext "keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment" \
-addext "subjectAltName=DNS:example.net,DNS:*.example.net"This will generate two files. key.pem, which is the private key, without passphrase and cert.pem, which is the actual certificate.
Verify that the actual certificate has required x509v3 SAN extensions:
$ openssl x509 -in cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
70:4c:28:...
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Org, CN=*.example.net
Validity
Not Before: Oct 2 15:48:10 2019 GMT
Not After : Dec 1 15:48:10 2038 GMT
Subject: C=US, O=Org, CN=*.example.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:a7:b5:01...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
DirName:/C=US/O=Org/CN=*.example.net
serial:70:4C:...
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Subject Alternative Name:
DNS:example.net, DNS:*.example.net
Signature Algorithm: sha256WithRSAEncryption
59:1d:96:...
The last step is to import the certificate (cert.pem) into the keychain (I’m using the login keychain) and trust it.
So easy. So hard.
