brent timothy saner on 26 Jun 2019 07:28:26 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Chrome and Certificates (WAS:Fwd: Confused - certificate is valid in IE/Edge but not in Chrome?)

On 6/26/19 9:40 AM, Michael Leone wrote:
> For Chrome 58 and later, only the subjectAlternativeName extension,
> not commonName, is used to match the domain name and site certificate.
> The certificate subject alternative name can be a domain name or IP
> address. If the certificate doesn’t have the correct
> subjectAlternativeName extension, users get a
> NET::ERR_CERT_COMMON_NAME_INVALID error letting them know that the
> connection isn’t private. If the certificate is missing a
> subjectAlternativeName extension, users see a warning in the Security
> panel in Chrome DevTools that lets them know the subject alternative
> name is missing.
> So I have to fix my openssl config, so that it adds those SANs
> (sugbjectAlternateNames). Problem is, all the examples I find for "alt
> names" seem to hardcode a name in the config file. Can that be right?

Yep. Not even "can"; "is".
FWIW, I believe you can tell openssl to include any SANs in the CSR
automatically (but you'd still need to define those in the config used
to generate the CSR).

> Shouldn't the SAN be the same as the common name of the cert?

Yep. Plus any additional names you want the issued cert to be valid for.

> What am
> I not getting, about this? Example:
> [alt_names]
> DNS.1 =
> DNS.2 =
> DNS.3 =
> DNS.4 =
> DNS.5 =
> DNS.6 =
> That's all fine, if you're issuing a cert for "". :-) So
> how do you tell it to use the common name, as at least one of the
> alternates??

You put it in the config file. 🙃 Usually DNS.1 is the CN. (If memory
serves, you can use a variable for the CN.) For bare domain certs (e.g.
domain.tld), I'd recommend also adding a www.domain.tld SAN.

But you're starting to see why people tend to use automated methods for
this. I'm glad to see you're learning the hard way first (especially
since it's something I suggested[0]), but yeah - openssl is painful when
it comes to SANs.

What *most* people do when using openssl is maintain separate
openssl.cnf files, one for each cert to issue, and specify that at the
commandline for the CSR creation and certificate issuance.


Attachment: signature.asc
Description: OpenPGP digital signature

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --