Self signed certificate no longer valid as of Chrome 58

[PaulTondeur]

It turns out that the Subject Alt Name property is missing in the certificate, resulting in Chrome that marks the certificate as insecure. The error in chrome is misleading (net::ERR_CERT_COMMON_NAME_INVALID), though according to this post it is about the Subject Alternative Name (SAN) that is missing.

[johnboxall]

Based on e97741c and https://security.stackexchange.com/a/91556 I believe this could be regenerated with something like:

openssl req \
    -newkey rsa:2048 \
    -x509 \
    -nodes \
    -keyout server.pem \
    -new \
    -out server.pem \
    -subj /CN=localhost \
    -reqexts SAN \
    -config <(cat /System/Library/OpenSSL/openssl.cnf \
        <(printf '[SAN]\nsubjectAltName=DNS:localhost')) \
    -sha256 \
    -days 3650

On OSX.

It also might be possible to take ssl/server.pem add run it through https://certificatetools.com/, then add an subjectAltName=DNS:localhost.

As part of this fix, it may be useful to commit the script used to generate the cert in case it needs to be regenerated again.

[ream88]

Apparently this fix works also for Chrome 57. Thx @johnboxall!

[jesstelford]

For those who may happen upon this via Google, I also had to set -extensions SAN to get @johnboxall's command to work:

openssl req \
    -newkey rsa:2048 \
    -x509 \
    -nodes \
    -keyout server.pem \
    -new \
    -out server.pem \
    -subj /CN=localhost \
    -reqexts SAN \
    -extensions SAN \
    -config <(cat /System/Library/OpenSSL/openssl.cnf \
        <(printf '[SAN]\nsubjectAltName=DNS:localhost')) \
    -sha256 \
    -days 3650

[stephanvierkant]

I've used that command, but still getting ERR_CERT_AUTHORITY_INVALID on Chrome 58. Adding it to Chrome doesn't work because of "Not a Certification Authority" error message.

Any idea how to fix this?

[ianfitzpatrick]

@stephanvierkant

I don't know what platform you are on, but assuming you are on OSX, you need to follow these instructions to manually trust self signed certificates.

http://www.robpeck.com/2010/10/google-chrome-mac-os-x-and-self-signed-ssl-certificates/#.WPpqZFKZNE4

FWIW I followed the instructions from @jesstelford above, then manually re-trusted the new certificate following instructions similar to above link, and I'm now all good.

My local dev server is running debian on a VM in my mac, so I did have to change /System/Library/OpenSSL/openssl.cnf to /usr/lib/ssl/openssl.cnf

I already had a key file, so here are the instructions above modified to use an existing key:

openssl req \
    -key server.local.key \
    -x509 \
    -nodes \
    -new \
    -out server.local.crt \
    -subj /CN=server.local \
    -reqexts SAN \
    -extensions SAN \
    -config <(cat /usr/lib/ssl/openssl.cnf \
        <(printf '[SAN]\nsubjectAltName=DNS:server.local')) \
    -sha256 \
    -days 3650

[chibisuke]

Time to migrate away from chrome.... with the latest update chrome is violating RFC2818.

[zijuexiansheng]

The methods above works for me with Chrome. But I ran into some new issues.

1. I cannot install the self-signed certificate on Firefox. And if I install it on iphone, it's not trusted.
2. I added basicConstraints=CA:TRUE,pathlen:0 to the openssl.cnf file. Not it works perfectly for iphone. I can also import it to firefox. But the problem is that I cannot load my webpage with firefox

Does anyone have some ideas on how to resolve the firefox issue?

[CreativeWolf]

Facing the same issue as @stephanvierkant mentioned here - #854 (comment)

Appreciate any work around for this please.

[lehne]

https://serverfault.com/questions/845766/generating-a-self-signed-cert-with-openssl-that-works-in-chrome-58
I used this method and it worked well.

[lewis617]

What about Windows? @johnboxall