Generating a valid self-signed certificate for Apache and Chrome
In our previous article, we saw how to generate a self-signed certificate for localhost website development, and how to do it so that Google Chrome browser won’t produce the well-known “NET::ERR_CERT_AUTHORITY_INVALID” notice.
Unfortunately, for Chrome 58 and later another warning is waiting for you. This time it’s “NET::ERR_CERT_COMMON_NAME_INVALID” or “Your connection is not private“, since (as you can read here from Google) “only the subjectAlternativeName extension, not commonName, is used to match the domain name and site certificate“.
So we have to reissue our self-signed certificate in order to include the subjectAlternativeName as well.
For this purpose, we’ll be using OpenSSL and we’ll see how to install and configurare this brand new certificate in Apache.
The first thing to do is install OpenSSL. At the time of writing, I downloaded OpenSSL v1.1.0g. If you are on Windows, you can download the installer at the following URL:
but of course you can use the same version on Linux as well, depending on your distribution (CentOS, Debian, Ubuntu and so on).
Once installed OpenSSL, we need to modify a little bit its configuration file, in order to handle the Subject Alternative Name (SAN).
So, assuming that nullalo.local is the local domain alias you need the self-signed certificate for, edit /bin/openssl.cfg file and add the following section (i.e. at the bottom of the file or at the end of another section):
Here, we created two alternative names, nullalo.local and www.nullalo.local to show you the right syntax to add multiple DNS (Domain Name System), but if you just use a single DNS (no ServerAlias in Apache), the first entry will be enough:
Now, all you have to do is generate the private key and the certificate using OpenSSL.