Starting with version 58 in 2017 Chrome only accepts certificates that not only define the domain name in the commonName field of the certificate but also the subjectAltName. By doing so they brought their implementation more in line with RFC2818 as Mozilla has done with Firefox 48. Unfortunaltely some tools like the popular CA.pl script do not support the new field in a convenient manner. But you can generate self signed certificates with CA.pl that newer Chrome and Firefox versions will accept. Here is how to monkeypatch the problem away.

The CA.pl script

The CA.pl script allows you to create and operate a own certificate authority for x509 certificates that you then can use for ssl encryption, mail encryption, secure logins or else. Linux distributions like Debian and Ubuntu ship it in the OpenSSL package.

The basic workflow for creating a CA and ssl certificate for a webserver goes like this:

# Create your CA
./CA.pl -newca 
# Create a certificate request
./CA.pl -newreq
# Sign the request using your CA
./CA.pl -sign
# Done

Just enter all the requested information. Make sure the common name of the certificate request resembles the domain name you want to secure.

The subjectAlternativeName extension

Before Chrome 58 and Firefox 48 you would have ended up with a usable certificate using the instructions above. But now they require that the domain name is also listed as a subjectAltName in the certificate. At the time of writing this blog post, the CA.pl script does not deal with the subjectAltName.

How can I add the subjectAltName to my certificate?

To add the subjectAltName to a certificate you have to specify it in the openssl.cnf config file before creating the certificate request. Unfortunately the CA.pl script will not do that for you while creating the certificate request and you have to update it for every domain name. On Debian based systems you can find the config file in /usr/lib/ssl/openssl.cnf, on MacOS with homebrew it’s in /usr/local/etc/openssl@1.1/openssl.cnf. Go to the usr_cert section and add a placeholder for subjectAltName. Then add a section with your placeholder name and a list of the domain names that your server might have.

subjectAltName=@alt_names

[alt_names]
DNS.1 = tnglab.fritz.box
DNS.2 = testlab.fritz.box

Can I make this easier?

Depends. Just referencing the commonName in the openssl.cnf won’t work. openssl evaluates the config file first and then fills with the values it asks you for on the command line. So the commonName you provide will never be used to fill the subjectAltName.

You can ditch the CA.pl script and use OpenSSL directly. You can then specify the subjetAltName using the -addext parameter since OpenSSL 1.1.1. But of course you then also would have to remember the OpenSSL command line for creating and signing certificates.

How can this be so hard?

Good question! I don’t have an answer. But apparently there are a lot of complaints around how OpenSSL handles the subjectAltName issue.

For me, I just create one or two certificates a year so I can live with the workaround above.