Chrome 58 and up requires a certificate to have a valid subjectAlternativeName entry (SAN).
This is to conform with an 18 year old RFC describing HTTP over TLS connections.
To generate a CSR with SAN entry using OpenSSL;
- Create a text file “servername.cnf” containing the correct CSR parameters:
- Create the CSR and private key with OpenSSL using the text file
- When you receive the .cer/.crt/.pem in BASE64 format from the CA you can create a certificate chain in this file by adding the intermediate certificate and the root certificate in the following order:
- If your application requires the public and private key in a single pfx file, you can combine these with:
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
C = BE
ST = ANTWERPEN
L = ANTWERPEN
O = ACME
CN = servername.acme.local
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = servername.acme.local
DNS.2 = servername.acme.local
openssl.exe req -out servername.csr -newkey rsa:2048 -nodes -keyout servername.key -config servername.cnf
This will create servername.csr which has to be signed by the CA and the servername.key.
—–BEGIN CERTIFICATE—–
(Your server certificate: servername.crt)
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
(Intermediate CA .crt content)
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
(Root CA .crt content)
—–END CERTIFICATE—–
openssl.exe pkcs12 -export -out servername.pfx -inkey servername.key -in servername.crt
This results in a servername.pfx file which is password protected.