Chrome 58 and up requires a certificate to have a valid subjectAlternativeName entry (SAN).
This is to conform with an 18 year old RFC describing HTTP over TLS connections.
To generate a CSR with SAN entry using OpenSSL;
- Create a text file “servername.cnf” containing the correct CSR parameters:
- Create the CSR and private key with OpenSSL using the text file
- When you receive the .cer/.crt/.pem in BASE64 format from the CA you can create a certificate chain in this file by adding the intermediate certificate and the root certificate in the following order:
- If your application requires the public and private key in a single pfx file, you can combine these with:
[ req ] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] C = BE ST = ANTWERPEN L = ANTWERPEN O = ACME CN = servername.acme.local [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = servername.acme.local DNS.2 = servername.acme.local
openssl.exe req -out servername.csr -newkey rsa:2048 -nodes -keyout servername.key -config servername.cnf
This will create servername.csr which has to be signed by the CA and the servername.key.
(Your server certificate: servername.crt)
(Intermediate CA .crt content)
(Root CA .crt content)
openssl.exe pkcs12 -export -out servername.pfx -inkey servername.key -in servername.crt
This results in a servername.pfx file which is password protected.