ChromeLinuxCodingWeb Tools

Generating a valid self-signed certificate for Apache and Chrome

In our previous article, we saw how to generate a self-signed certificate for localhost website development, and how to do it so that Google Chrome browser won’t produce the well-known “NET::ERR_CERT_AUTHORITY_INVALID”  notice.

Unfortunately, for Chrome 58 and later another warning is waiting for you. This time it’s “NET::ERR_CERT_COMMON_NAME_INVALID” or “Your connection is not private“, since (as you can read here from Google) “only the subjectAlternativeName extension, not commonName, is used to match the domain name and site certificate“.

So we have to reissue our self-signed certificate in order to include the subjectAlternativeName as well.

For this purpose, we’ll be using OpenSSL and we’ll see how to install and configurare this brand new certificate in Apache.

OpenSSL configuration

The first thing to do is install OpenSSL. At the time of writing, I downloaded OpenSSL v1.1.0g. If you are on Windows, you can download the installer at the following URL:

Win32 OpenSSL v1.1.0g

but of course you can use the same version on Linux as well, depending on your distribution (CentOS, Debian, Ubuntu and so on).

Once installed OpenSSL, we need to modify a little bit its configuration file, in order to handle the Subject Alternative Name (SAN).

So, assuming that nullalo.local is the local domain alias you need the self-signed certificate for, edit /bin/openssl.cfg file and add the following section (i.e. at the bottom of the file or at the end of another section):


[SAN]
subjectAltName=DNS:nullalo.local,DNS:www.nullalo.local

Here, we created two alternative names, nullalo.local and www.nullalo.local to show you the right syntax to add multiple DNS (Domain Name System), but if you just use a single DNS (no ServerAlias in Apache), the first entry will be enough:


[SAN]
subjectAltName=DNS:nullalo.local

Now, all you have to do is generate the private key and the certificate using OpenSSL.

Previous post

Windows 7 won't boot

Next post

How to recover permanently deleted Outlook emails

Fulvio Sicurezza

Fulvio Sicurezza

4 Comments

  1. Arvind Kumar Jha
    Tuesday December 4th, 2018 at 08:22 AM — Reply

    Thanks a ton!!
    This tutorial worked for me perfectly.

  2. Sunday December 16th, 2018 at 01:18 PM — Reply

    Davvero interessante 🙂 Grazie

  3. Tuesday January 21st, 2020 at 06:06 AM — Reply

    Hi,
    I install SELF-SIGNED CERTIFICATE on my site http://www.nspiel.de/ , and check on ssllabs.com it said: NOT TRUSTED.
    What can I do now?

    • Fulvio Sicurezza
      Wednesday January 22nd, 2020 at 10:22 AM — Reply

      This procedure is for LOCAL certificates. For an online website, you have to use Let’s Encrypt or something similar, but in the meanwhile I see you already solved your issue 🙂

Leave a reply

Your email address will not be published. Required fields are marked *