简体中文 / [English]


Generate SSL Certificate with Subject Alternative Name (SAN) to Fix HTTPS Errors in Chrome and OkHttp

 
ExplorationServer Maintenance & Configuration

This article is currently an experimental machine translation and may contain errors. If anything is unclear, please refer to the original Chinese version. I am continuously working to improve the translation.

Previously, I set up IPv6 DDNS to access the HTTP server on my home AIO from the external network.

Since it’s for personal use only, I decided to go with a self-signed certificate. However, after generating the certificate following online tutorials and importing it into Chrome, I encountered the error ERR_CERT_COMMON_NAME_INVALID. Similarly, OkHttp threw Hostname xxx is not verified.

After some research, I found out this was due to the missing Subject Alternative Name (SAN) extension in the certificate. Many online guides for generating self-signed certificates with SAN are flawed. Eventually, I found a working solution and documented it here.

0x00 Preparation

Create a new directory, navigate into it, and make sure the openssl command is available.

0x01 Create Configuration File

Enabling the SAN extension cannot be done directly via command-line arguments, so we need to use a configuration file.

Create a file named openssl.cnf and paste the following content:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
[ req ]
default_bits        = 4096
default_keyfile     = private/ca.key
distinguished_name  = req_distinguished_name
req_extensions      = req_ext
x509_extensions     = x509_ext
string_mask         = utf8only

[ req_distinguished_name ] 
countryName                 = Country Name (2 letter code)
stateOrProvinceName         = State or Province Name (full name)
localityName                = Locality Name (eg, city)
organizationName            = Organization Name (eg, company)
commonName                  = Common Name (e.g. server FQDN or YOUR name)
emailAddress                = Email Address

countryName_default         = CN
stateOrProvinceName_default = Jiangsu
localityName_default        = Suzhou


[ x509_ext ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints       = CA:FALSE
keyUsage               = digitalSignature, keyEncipherment
subjectAltName         = @alt_names

[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints     = CA:FALSE
keyUsage             = digitalSignature, keyEncipherment
subjectAltName       = @alt_names

[ alt_names ]
DNS.1 = example1.com
DNS.2 = *.example2.com (wildcards are allowed.)

Remember to change the example domains at the end to your actual domain names. The rest can remain unchanged.

0x02 Self-sign and Generate Certificate

Run the following command:
openssl req -x509 -newkey rsa:4096 -sha256 -utf8 -days 3650 -nodes -config ./openssl.cnf -keyout ./server.key -out ./server.crt

Follow the prompts to enter the required information. Once completed, the certificate will be generated successfully. Replace the existing certificate on your HTTPS server with the newly generated one.

0x03 Done

On Windows, double-click the .crt file and install it into the Trusted Root Certification Authorities store. You’ll find that Chrome now connects to your site without showing any certificate errors.

This article is licensed under the CC BY-NC-SA 4.0 license.

Author: lyc8503, Article link: https://blog.lyc8503.net/en/post/self-signed-cert-with-san/
If this article was helpful or interesting to you, consider buy me a coffee¬_¬
Feel free to comment in English below o/