Chrome 58+ requires
Subject Alternative Name to be present in the SSL certificate for the domain name you want to secure. This is supposed to be a replacement for
Common Name, which has some security holes (like being able to define a certificate for
*.co.uk, which is not possible with
I’ll be using MacOS and OpenSSL v1.1.1d installed via brew.
Recent OpenSSL versions add the
SAN extension by default, which prevents such generated certificate to work in Chrome 58+. We need to disable that first.
/email@example.com/openssl.cnf (your path may vary) and comment the following line:
[ req ] # x509_extensions = v3_ca # The extensions to add to the self signed cert
And then you are off to generate the certificate. I’ll be using the
*.example.net domain name here.
/usr/local/Cellarfirstname.lastname@example.org/1.1.1d/bin/openssl req \ -x509 \ -newkey rsa:4096 \ -sha256 \ -days 7000 \ -nodes \ -out cert.pem \ -keyout key.pem \ -subj "/C=US/O=Org/CN=*.example.net" \ -addext "basicConstraints=critical,CA:FALSE" \ -addext "authorityKeyIdentifier=keyid,issuer" \ -addext "keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment" \ -addext "subjectAltName=DNS:example.net,DNS:*.example.net"
This will generate two files.
key.pem, which is the private key, without passphrase and
cert.pem, which is the actual certificate.
Verify that the actual certificate has required x509v3 SAN extensions:
$ openssl x509 -in cert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 70:4c:28:... Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Org, CN=*.example.net Validity Not Before: Oct 2 15:48:10 2019 GMT Not After : Dec 1 15:48:10 2038 GMT Subject: C=US, O=Org, CN=*.example.net Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:a7:b5:01... Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Authority Key Identifier: DirName:/C=US/O=Org/CN=*.example.net serial:70:4C:... X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Subject Alternative Name: DNS:example.net, DNS:*.example.net Signature Algorithm: sha256WithRSAEncryption 59:1d:96:...
The last step is to import the certificate (
cert.pem) into the keychain (I’m using the
login keychain) and trust it.
So easy. So hard.