Bedis9 website

Chrome 58 and SAN certificates requirements

Posted on 2017-06-09

Chrome 58 now imposes that the Common Name of a certificate to be available in the list of the alternative names. This is because of RFC2818, which changes the way to match the commonName in certificates. More information here:

At work, I own my own CA, so I can sign my own certificates and use them wherever I need to. My main purpose is to avoid those boring warning messages related to self signed certificates. Of course, I have to import my CA certificate into my browser (so it can trust me despite they are self signed).

I use the small bash script below to generate my certificates automatically and compatible with Chrome 58 requirements:


cat <<EOF >${NAME}.cnf
req_extensions = v3_req
distinguished_name = req_distinguished_name

C = FR
ST = Ile de France
L = Paris
O = MySelf
OU = Systems Engineering
CN = ${NAME}

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

DNS.1 = ${NAME}

openssl genrsa -out ${NAME}.key 2048
openssl req -new -key ${NAME}.key -out ${NAME}.csr -nodes -sha256 -subj "/CN=${NAME}" -config ${NAME}.cnf
openssl x509 -req -in ${NAME}.csr -CA root.pem -CAkey ca.key -CAcreateserial -out ${NAME}.crt -days 3650 -extensions v3_req -extfile ${NAME}.cnf
cat ${NAME}.crt ${NAME}.key > ${NAME}.pem