Chrome shows ERR_CERT_COMMON_NAME_INVALID when firefox is happy

mc flag

Learning how to work with certificates, maybe will have local CA server. I have server with BMC, so I used it for practicing. Generated CA pair then host pair and then signed host CSR with CA pair to get host crt. I uploaded CA crt to chrome trusted keys repository and host pair to BMC. Now when I go to the server, I can see that BMC returns correct crt, but chrome shows that connection is not secure. Reason is ERR_CERT_COMMON_NAME_INVALID. However when I click to "Certificate is not valid" I can see both keys and signed certificate is shown as "This certificate is OK.". DNS name used in url = COMMON name. At the same time, for Firefox no problem, it is good with my certs. What may be wrong?

Used this sequence: #CA PRIVATE

openssl genrsa -out CAKEY.pem 2048

#CA CERTIFICATE (used in browser). Common name:

openssl req -x509 -sha256 -new -nodes -key CAKEY.pem -days 3650 -out CACERT.pem -addext "subjectAltName ="

#HOST KEY (uploaded to BMC), I need to turn off here password protection, BMC doesn't like password

openssl genrsa -out HOSTKEY.pem 2048

#HOST CSR. Common name:

openssl req -new -key HOSTKEY.pem -out HOSTCSR.pem -addext "subjectAltName ="

#SIGN (uploaded to BMC)

openssl x509 -req -CA CACERT.pem -CAkey CAKEY.pem -in  HOSTCSR.pem -out HOSTCRT.PEM -days 3650 -CAcreateserial
dave_thompson_085 avatar
jp flag
Dupe and more linked there
br flag

OpenSSL's x509 command doesn't copy the extension from the CSR file to the signed certificate in version 1.1.1 and earlier.

On the latest version there's the -copy_extensions <arg> option, where ` can be none, copy or copyall.

You're getting the message in Chrome, because your certificate hasn't got the Subject Alternative Name (SAN) extension copied, so it complains. I believe Firefox retains the use of the Subject's CommonName if no Subject Alternative Name extension exists, which is why it doesn't complain.

You can work around this by pointing the x509 command to another config file with the -extfile <file> and the -extensions <section> options. The file <file> just needs to have a named section with the extensions you want to add to the certificate:

[ my_ext ]
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
DNS.1 =
dave_thompson_085 avatar
jp flag
`-extfile` (no `_`). In contrast, `req -new -x509 -addext` does put SAN in the CA cert, but nothing ever looks at SAN in a CA cert and it is completely useless and wasted.
br flag
@dave_thompson_085 - thanks & fixed :-)
mc flag
Thank you, your solution works for me. I don't see here any button to make your answer the solution. Should I press "Answer Your question" ? `bash#openssl x509 -req -CA CACERT.crt -CAkey CAKEY.pem -in HOSTCSR.pem -out HOSTCRT.crt -days 3650 -CAcreateserial -extfile ext.txt -extensions my_ext` `bash#` `bash#cat ext.txt` `[ my_ext ]` `subjectKeyIdentifier = hash` `authorityKeyIdentifier = keyid:always` `keyUsage = critical, digitalSignature, keyEncipherment` `extendedKeyUsage = serverAuth` `subjectAltName = @alt_names` `[alt_names]` `DNS.1 =`
br flag
To mark an answer as accepted, click on the check mark beside the answer to toggle it from greyed out to filled in.

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.