{"id":1672,"date":"2018-03-22T15:42:14","date_gmt":"2018-03-22T14:42:14","guid":{"rendered":"https:\/\/www.nullalo.com\/?p=1672"},"modified":"2025-10-22T10:15:26","modified_gmt":"2025-10-22T08:15:26","slug":"generare-un-certificato-auto-firmato-valido-per-apache-e-chrome","status":"publish","type":"post","link":"https:\/\/www.nullalo.com\/en\/generating-a-valid-self-signed-certificate-for-apache-and-chrome\/","title":{"rendered":"Generating a valid self-signed certificate for Apache and Chrome"},"content":{"rendered":"

<\/p>\n

In our previous article<\/a>, we saw how to generate a self-signed certificate for localhost<\/strong> website development, and how to do it so that Google Chrome browser won’t produce the well-known “NET::ERR_CERT_AUTHORITY_INVALID”\u00a0\u00a0<\/strong><\/em>notice.<\/p>\n

Unfortunately, for Chrome 58 and later another warning is waiting for you. This time it’s “NET::ERR_CERT_COMMON_NAME_INVALID<\/strong><\/em>” or “Your connection is not private<\/em><\/strong>“, since (as you can read here<\/a> from Google) “only the subjectAlternativeName extension, not commonName, is used to match the domain name and site certificate<\/em>“.<\/p>\n

So we have to reissue our self-signed certificate in order to include the subjectAlternativeName<\/strong> as well.<\/p>\n

For this purpose, we’ll be using OpenSSL<\/strong> and we’ll see how to install and configurare this brand new certificate in Apache.<\/p>\n

OpenSSL configuration<\/h2>\n

The first thing to do is install OpenSSL. At the time of writing, I downloaded OpenSSL v1.1.0g<\/strong>. If you are on Windows, you can download the installer at the following URL:<\/p>\n

Win32 OpenSSL v1.1.0g<\/a><\/p>\n

but of course you can use the same version on Linux as well, depending on your distribution (CentOS, Debian, Ubuntu and so on).<\/p>\n

Once installed OpenSSL, we need to modify a little bit its configuration file, in order to handle the Subject Alternative Name<\/strong> (SAN<\/strong>).<\/p>\n

So, assuming that nullalo.local<\/strong><\/em> is the local domain alias you need the self-signed certificate for, edit \/bin\/openssl.cfg<\/strong> file and add the following section (i.e. at the bottom of the file or at the end of another section):<\/p>\n

\r\n\r\n[SAN]\r\nsubjectAltName=DNS:nullalo.local,DNS:www.nullalo.local\r\n\r\n<\/pre>\n
Here, we created two alternative names, nullalo.local<\/strong><\/em> and www.nullalo.local\u00a0<\/strong><\/em>to show you the right syntax to add multiple DNS<\/strong> (Domain Name System<\/strong>), but if you just use a single DNS (no ServerAlias in Apache), the first entry will be enough:<\/p>\n
\r\n\r\n[SAN]\r\nsubjectAltName=DNS:nullalo.local\r\n\r\n<\/pre>\n
Now, all you have to do is generate the private key and the certificate using OpenSSL.<\/p>\n
<\/p>\n
Certificate generation<\/h2>\n
Assuming that you are on Windows, you have installed OpenSSL in C:\\OpenSSL-Win32\\<\/strong><\/em> and your local domain name is nullalo.local<\/strong><\/em>, you can issue the following commands at the prompt:<\/p>\n
\r\n\r\nC:\\OpenSSL-Win32\\bin\\openssl.exe req -x509 -config C:\\OpenSSL-Win32\\bin\\openssl.cfg -nodes -days 365 -newkey rsa:2048 -reqexts SAN -extensions SAN -keyout nullalo.local.key -out nullalo.local.crt\r\n\r\n<\/pre>\n
Let’s see the meaning of this command’s parameters:<\/p>\n