Chrome 58+ requires Subject Alternative Name
to be present in the SSL certificate for the domain name you want to secure. This is supposed to be a replacement for Common Name
, which has some security holes (like being able to define a certificate for *.co.uk
, which is not possible with SAN
).
I’ll be using MacOS and OpenSSL v1.1.1d installed via brew.
Recent OpenSSL versions add the basicConstraints=critical,CA:TRUE
x509v3
SAN
extension by default, which prevents such generated certificate to work in Chrome 58+. We need to disable that first.
Edit /usr/local/etc/openssl@1.1/openssl.cnf
(your path may vary) and comment the following line:
[ req ] # x509_extensions = v3_ca # The extensions to add to the self signed cert
And then you are off to generate the certificate. I’ll be using the *.example.net
domain name here.
/usr/local/Cellar/openssl@1.1/1.1.1d/bin/openssl req \ -x509 \ -newkey rsa:4096 \ -sha256 \ -days 7000 \ -nodes \ -out cert.pem \ -keyout key.pem \ -subj "/C=US/O=Org/CN=*.example.net" \ -addext "basicConstraints=critical,CA:FALSE" \ -addext "authorityKeyIdentifier=keyid,issuer" \ -addext "keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment" \ -addext "subjectAltName=DNS:example.net,DNS:*.example.net"
This will generate two files. key.pem
, which is the private key, without passphrase and cert.pem
, which is the actual certificate.
Verify that the actual certificate has required x509v3 SAN extensions:
$ openssl x509 -in cert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 70:4c:28:... Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Org, CN=*.example.net Validity Not Before: Oct 2 15:48:10 2019 GMT Not After : Dec 1 15:48:10 2038 GMT Subject: C=US, O=Org, CN=*.example.net Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:a7:b5:01... Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Authority Key Identifier: DirName:/C=US/O=Org/CN=*.example.net serial:70:4C:... X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Subject Alternative Name: DNS:example.net, DNS:*.example.net Signature Algorithm: sha256WithRSAEncryption 59:1d:96:...
The last step is to import the certificate (cert.pem
) into the keychain (I’m using the login
keychain) and trust it.
So easy. So hard.