Home > Linux > Self Signed Certificates ( with SAN )

Self Signed Certificates ( with SAN )

This is a post on creating self signed certificates that include SAN ( Subject Alternative Name )

As of Google Chrome Version 58, if you do not have SAN in your self signed certificates, you will get an error similar to this

Subject Alternative Name Missing The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.

Certificate Error There are issues with the site’s certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).

So we are going to do these

  • Make some config changes to openssl.cnf
  • Re-generate SSL key and Certificates
  • Update apache with the location to the new keys and restart apache
  • Remove old trusted root cert from chrome and import the new one

I am doing this on CentOS 7 with the below openssl lib installed

  • CentOS Linux release 7.3.1611 (Core)
  • OpenSSL 1.0.1e-fips 11 Feb 2013
  • OpenSSL config file:  /etc/pki/tls/openssl.cnf

To make sure you are modifying the right config file, put some garbage into it and run the openssl command. It it fails, you got the right file.

Openssl Config changes 

under [ CA_default ] section – un-comment

# Extension copying option: use with caution.
copy_extensions = copy

under [ req ] section, check the value of x509_extensions ( mine says x509_extensions = v3_ca )

search for the [ v3_ca ] ( or whatever the section from x509_extensions ) and add the below line to it

subjectAltName = @alt_names

create a new section [alt_names] and put this ( change localhost.com to your local domain )

[alt_names]
DNS.1 = localhost.com

if you want to use IP address instead of DNS name, then do the following

[alt_names]
IP.1 = 192.168.10.19

save and exit

Re-generate SSL key and Certificates 

openssl genrsa -out server.key 3072

# modify number of days as required and provide details of Country, CN etc
 openssl req -new -x509 -key server.key -sha256 -out certificate.pem -days 730

# You can check the certificate using
 openssl x509 -in certificate.pem -text -noout

You should be able to see below lines
Version: 3 (0x2)
X509v3 Subject Alternative Name:

Wrapping up

  • On chrome, go to settings, SSL and remove any previous certificates
  • Then visit your site using https
  • Chrome will throw a warning
  • We need to add our self signed cert to Chromes Root authority so that chrome will trust it
  • Press F12 – Security – View Certificate – Copy to File – Save it to your computer
  • Go to Settings – SSL – Manage Certificates – Trusted Root Certificate Authorities – Import
  • Import the certificate you just saved.
  • Completely close chrome and open again and try the https site
  • Try rebooting the machine if chrome still complains.
  • If it still did not work, then something went wrong somewhere.
  • Please see what OS and package versions you are using and check if the commands/paths require a change

References

Advertisements
Categories: Linux Tags: ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: