Posted on 2017-06-09
Chrome 58 now imposes that the Common Name of a certificate to be available in the list of the alternative names. This is because of RFC2818, which changes the way to match the commonName in certificates. More information here: https://www.chromestatus.com/feature/4981025180483584
At work, I own my own CA, so I can sign my own certificates and use them wherever I need to. My main purpose is to avoid those boring warning messages related to self signed certificates. Of course, I have to import my CA certificate into my browser (so it can trust me despite they are self signed).
I use the small bash script below to generate my certificates automatically and compatible with Chrome 58 requirements:
NAME=vtmtmp.docker cat <<EOF >${NAME}.cnf [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] C = FR ST = Ile de France L = Paris O = MySelf OU = Systems Engineering CN = ${NAME} [v3_req] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = ${NAME} EOF openssl genrsa -out ${NAME}.key 2048 openssl req -new -key ${NAME}.key -out ${NAME}.csr -nodes -sha256 -subj "/CN=${NAME}" -config ${NAME}.cnf openssl x509 -req -in ${NAME}.csr -CA root.pem -CAkey ca.key -CAcreateserial -out ${NAME}.crt -days 3650 -extensions v3_req -extfile ${NAME}.cnf cat ${NAME}.crt ${NAME}.key > ${NAME}.pemTweet