|
brent timothy saner on 26 Jun 2019 07:28:26 -0700
|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Chrome and Certificates (WAS:Fwd: Confused - certificate is valid in IE/Edge but not in Chrome?)
|
- From: brent timothy saner <brent.saner@gmail.com>
- To: plug@lists.phillylinux.org
- Subject: Re: [PLUG] Chrome and Certificates (WAS:Fwd: Confused - certificate is valid in IE/Edge but not in Chrome?)
- Date: Wed, 26 Jun 2019 10:28:12 -0400
- Autocrypt: addr=brent.saner@gmail.com; prefer-encrypt=mutual; keydata= mQINBFKm0mgBEADSI5oeyqRYZ8YWxPbux4CeqaMNh4etuyJmglDRCQB9t1XlvhMDLZWQNqm+ ORBN3YGISUu+X55p10lK/O1w/85zXkAV7Qe6fkvUzSx0tbPWLu4rn4zH9JgTExElhFRv143H W/EKehejEetkNz6JSwGUXNiF5qh1GbKLOmShbmCSKXLcmw05Qj4ELmhkH9OWXpeM0EHmWIEK VSeoIim/g1MYYxKOb1wY3DEubY9zn3lfz9xfLq/xlFMepDyNAEer/qZDSHQqnymdqXlt6L9e mfd4snHLiDfUgG9JOPeMDWeT6XWJDtKKCcZ3JDSMEGgZsFYpwJxJEwPxnfhHJmH8ENxi/8Cu 0fLFvzgAP+VK/Z1egBI7l241fDDREg3e+NWFhUM5bjwBmqk1z8nkRdru+QSMtPl6Erkd+Tbp 7lGGpQwCbI6esdBPkx/nV8+fIPEcsR2G5jG7O9U4J6q3B1nRFrR863SJHudIWV/l59ZvA8kI knDYNOixPLmnoRrO7LNIWe9jpnkZdg34Aa5AjAjGEKwY5EAzqkKuPEMVGqg/36YUcnqYS98W iVgCpaGg6KJqCMVXBfugxd79rtkyT4Oeju/z/Yp2xxXm3Pqcocb1CxbiEYDLJNT7/hyIJ072 4asMz2DTDMIMciP93hPraEtINknPlerNX2XqK03D+gyBGqAL7QARAQABtCtCcmVudCBUaW1v dGh5IFNhbmVyIDxicmVudC5zYW5lckBnbWFpbC5jb20+iQI8BBMBAgAmAhsDBwsJCAcDAgEG FQgCCQoLBBYCAwECHgECF4AFAlLzvnsCGQEACgkQjABML5NIH2vQHxAArz6yjoQqUPoOFBRF P6hXHcMegvh4vZ0xOcoU+7KyUyD2f5jYivQFSVYcRDr7hyHTs3iRr0HKN8dUUSyLkNCc+rd2 FwqftUF2JLqlqpJ4HDXw+5L2rw0+0voy7JpRNtoGlfkh32SHIbTmNwVIFm1yVg+xNk0RAvl8 /NnPzgi0IKgOJNcxicLpy0f0o/uWHKcm6uS8SBZL3col1Wuhwqt/VY7Nz0cCF7IrRNGyMMPF PMRq3A5144U81WQR94iGlpvWku/qnFAvC9NNTllCwFYpiuI2BkndlPO3YqOwcGbVTOO765la Qz9EQn9b9ipnPjOSp9HLhu53RoJyUWogBtijCzEgODYJuflPWoXG4ubB11wP2CRPZzj3KqFE cShAyNwE2bAtHwtqsksII3J46EEQDrHam/0D6F+jNMZK31E/ET9WcdzZhFRGaBd748dRcaoH BaHpviH+GtRZiWtrR0238Df05MtZPTlZi2t4icBIGVN4j0mcMbgVY/5CudLQGa7BSjnKR/uy hJI7ANOHCsIud6rIB9s5qly60bXjOZ4hG1iFIhUFC+zgrOYGZLbJgCaKd5sdBCWOsQwInD/X eWO+6p4bW0YIp0YXZA5+0Uo8EP4t+NzvfGhe19gy8hrJYZGSW1PJDvqvs+b5XO2j5Be6ec2Y 09Ta99U94SxWp3nXpKS5Ag0EUqbSaAEQAMIB/UpTre+NGzkvTmO6wnfQuzJKEEWnX2p/+eQF ZgDhObvwhvZr7C3I9wP3JnAP3LoJqrnmp78qE2v7snlSG1i66hqcj8Cw2EkBRLFsseva2uI5 B63RLrV0tTXN86nmHhw8qJ2GBu84Ddw7KtYoCRbq902eWsgWxRJVwAK+ip24tVVJxaR23nkO FwU+suYRDhiM9GLVj2waomgJK60dhxLOLZSRwJ0S1A2pu16GEx8USEoz7WNDJgx8PJPSzyH5 U7h9hXhpTEvS8nOV5G7YhksKBR6ECjmleCSehBaotVTAhXTfoh9fyCusMBwizLBoS8GmPUnv nUlvJzyAzu1KxnFzpwEk9ZBgLqWxzC/i4PZKrpqG7n5JqgEl0gg+7fn5Sdwq14Trg+djDGa5 c8n5hXEyszWTka53AhVCn8yq01zYNZoMDG6adYku/g3n5mBxKYuSoMkzuPRgihpsrhN/0RGY nJRDw5cpAjywWhTfFWGaAz6mDNhCV9daoqAoFjmIt9PAFeTrHj0XZXW7C53t4Qor9Nc5goh5 jlw7vv58CpdF0dPF6jLhDL2AYtplqwdPQr8+hj8WyFW8Rbj/OOj/z/JdDa6xCqfvh0udGLVa FDwQXZ1D4sqjwABhqdCppYb9TSq0TzR2LyZDnn/JZied2Q2LypPbsoGa3qd//w5W6NczABEB AAGJAh8EGAECAAkFAlKm0mgCGwwACgkQjABML5NIH2tCDBAAiMHQIKXCnm3XOcBuArJ8l0Yp W7q9KWF1YtmK+Jg+JqF8vTR7qvJ1djpVJVzCbL73bSrw24bLjHhcATuBsQxYPu2sSulcPB8n ri3ki/rWiWpNtjykKi6z56o+vDmbVH8UyA++zHQIaOx7tyKnh4w1F2i46132yMHLHFAdQkAl AJRMIQ6E0AKK9t61r+NJ0KT8g1h9PMcJkPWkGmQjT9eahLlO1H3kua0xCZ264CFUkpYo7t0I Y9BuRafzrqRqrYBJzEeDSd2dNz8u+jTF8RlHyaiePcTE9R1A41mK2vDCgWAbmXW8eruVz+Av zdXSNr6erccamRmeTIyJ5WpGeoA/ZeTDVSLzU2/i/PK2yI/8DTwWnt0iLC+8qvbz+E27/8i5 x5w3PosUjXzHQugBZO0xrBqti9rWV6u73zAE07EKaGfTm4Py3HRfysmFijcT0xpEeuilXM72 TixP75enqXN45ouwrapBcjAM3oxn+eVAagtzMUjXjHJBP5g5PHCRTuzakNzvFu1YNV9Oec8S O+hoQAuW6Wy5NfCN3Bg+KHPu/U6Lw9TcbFtCGOswMx9U2Thuj7FeULli5tj/kLahOOMO0N++ msHrJNNWa2ekU9GJ1NDCOGH0zYF4F5dxrdNxuOGzz6a0+5o1DBaWUEN0wAMceluJNnqv0qni AGmGDY9HHUM=
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:references:from:openpgp:autocrypt:subject:message-id:date :user-agent:mime-version:in-reply-to; bh=wom8P7UJEEiOnxRf0eYs1ySCExFIgHuMFUsVsSRtjE4=; b=mwJdJB6arJW2nVcBZdEkhMMlPHLczp+ZjvRM4LrfZ4B6sbaopyqlRhMSMIkHGv1B8Z mdKLFwL/WGZbduxjolXIVCvVmcuer6WIWkUB5T4FZEzW4skmMoyS33iK/N0jtYipP9iw e7Z0ZPGh0m9R7BOp+utdOcfdeexqKDtkn/54mfxNcgC7sLu2/KqqQbTwuicT4p3iKlsb voA8T0F/gLQJtEutqxsgQB6qSYgJWUe306HD8OrMFj7WfZUGqoi/hVLf8mAP5aaLBvvM RGuyWAKPK+TSHgLiip081xnuWS0tBJQWMS1NJWxsd03BhwJlc3r+u22ZMnvY01OstIcP 2xpw==
- Openpgp: id=748231EBCBD808A14F5E85D28C004C2F93481F6B
- Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
- Sender: "plug" <plug-bounces@lists.phillylinux.org>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
On 6/26/19 9:40 AM, Michael Leone wrote:
> For Chrome 58 and later, only the subjectAlternativeName extension,
> not commonName, is used to match the domain name and site certificate.
> The certificate subject alternative name can be a domain name or IP
> address. If the certificate doesn’t have the correct
> subjectAlternativeName extension, users get a
> NET::ERR_CERT_COMMON_NAME_INVALID error letting them know that the
> connection isn’t private. If the certificate is missing a
> subjectAlternativeName extension, users see a warning in the Security
> panel in Chrome DevTools that lets them know the subject alternative
> name is missing.
>
> So I have to fix my openssl config, so that it adds those SANs
> (sugbjectAlternateNames). Problem is, all the examples I find for "alt
> names" seem to hardcode a name in the config file. Can that be right?
>
Yep. Not even "can"; "is".
FWIW, I believe you can tell openssl to include any SANs in the CSR
automatically (but you'd still need to define those in the config used
to generate the CSR).
> Shouldn't the SAN be the same as the common name of the cert?
Yep. Plus any additional names you want the issued cert to be valid for.
> What am
> I not getting, about this? Example:
> https://wiki.cacert.org/FAQ/subjectAltName
>
> [alt_names]
> DNS.1 = server1.example.com
> DNS.2 = mail.example.com
> DNS.3 = www.example.com
> DNS.4 = www.sub.example.com
> DNS.5 = mx.example.com
> DNS.6 = support.example.com
>
>
> That's all fine, if you're issuing a cert for "example.com". :-) So
> how do you tell it to use the common name, as at least one of the
> alternates??
You put it in the config file. 🙃 Usually DNS.1 is the CN. (If memory
serves, you can use a variable for the CN.) For bare domain certs (e.g.
domain.tld), I'd recommend also adding a www.domain.tld SAN.
But you're starting to see why people tend to use automated methods for
this. I'm glad to see you're learning the hard way first (especially
since it's something I suggested[0]), but yeah - openssl is painful when
it comes to SANs.
What *most* people do when using openssl is maintain separate
openssl.cnf files, one for each cert to issue, and specify that at the
commandline for the CSR creation and certificate issuance.
[0] http://lists.netisland.net/archives/plug/plug-2019-06/msg00038.html
Attachment:
signature.asc
Description: OpenPGP digital signature
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug