I'm a webdeveloper and want to test my websites locally with a self signed SSL certificate.
Everything was working great until a few days ago, when chrome started complaining about a missing AltName property.
OpenSSL CA
I've created my own authority using:
openssl req
-x509
-sha256
-new
-out dev.root.ca.crt
-keyout dev.root.ca.key
-days 3650
CNF
I've created an openssl.cnf file by adding those values to the default ones:
[ CA_default ]
copy_extensions = copy
[req]
req_extensions = v3_req
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = $ENV::ALTNAME
ALTNAME via shell
Then I use this command to generate a .csr and .key file:
set ALTNAME=DNS:dev.example.com
openssl req
-newkey rsa:2048
-out dev.example.com.csr
-pubkey
-new
-keyout dev.example.com.key
-sha256
-config openssl.cnf
The generated csr file contains the alternative name as expected.
Altname does not make it from CSR into CRT
Then I use this command to generate the .crt and .key files:
openssl x509
-req
-in dev.example.com.csr
-CA dev.root.ca.crt
-CAkey dev.root.ca.key
-CAcreateserial
-out dev.example.com.crt
-days 3650
-sha256
But the alternative names are not present anymore in the generated crt file.
What now?
Do I need to add additional parameters to the openssl x509 -req command ?
SubjectAltNamenow. Details in developer blog here: https://textslashplain.com/2017/03/10/chrome-deprecates-subject-cn-matching/ – StackzOfZtuff Apr 26 '17 at 14:00