Self signed certificates that Chrome will accept
Starting with version 58 in 2017 Chrome only accepts certificates that not only define the domain name in the
commonName field of the certificate but also the
subjectAltName. By doing so they brought their implementation more in line with RFC2818 as Mozilla has done with Firefox 48. Unfortunaltely some tools like the popular
CA.pl script do not support the new field in a convenient manner. But you can generate self signed certificates with
CA.pl that newer Chrome and Firefox versions will accept. Here is how to monkeypatch the problem away.
The CA.pl script
CA.pl script allows you to create and operate a own certificate authority for x509 certificates that you then can use for ssl encryption, mail encryption, secure logins or else. Linux distributions like Debian and Ubuntu ship it in the OpenSSL package.
The basic workflow for creating a CA and ssl certificate for a webserver goes like this:
# Create your CA
Just enter all the requested information. Make sure the common name of the certificate request resembles the domain name you want to secure.
The subjectAlternativeName extension
Before Chrome 58 and Firefox 48 you would have ended up with a usable certificate using the instructions above. But now they require that the domain name is also listed as a
subjectAltName in the certificate. At the time of writing this blog post, the
CA.pl script does not deal with the
How can I add the subjectAltName to my certificate?
To add the
subjectAltName to a certificate you have to specify it in the
openssl.cnf config file before creating the certificate request. Unfortunately the
CA.pl script will not do that for you while creating the certificate request and you have to update it for every domain name. On Debian based systems you can find the config file in
/usr/lib/ssl/openssl.cnf, on MacOS with homebrew it’s in
/email@example.com/openssl.cnf. Go to the
usr_cert section and add a placeholder for
subjectAltName. Then add a section with your placeholder name and a list of the domain names that your server might have.
Can I make this easier?
Depends. Just referencing the
commonName in the
openssl.cnf won’t work. openssl evaluates the config file first and then fills with the values it asks you for on the command line. So the
commonName you provide will never be used to fill the
You can ditch the
CA.pl script and use OpenSSL directly. You can then specify the
subjetAltName using the
-addext parameter since OpenSSL 1.1.1. But of course you then also would have to remember the OpenSSL command line for creating and signing certificates.
How can this be so hard?
Good question! I don’t have an answer. But apparently there are a lot of complaints around how OpenSSL handles the
For me, I just create one or two certificates a year so I can live with the workaround above.