Creating self signed certificate for domain and subdomains - NET::ERR_CERT_COMMON_NAME_INVALID

Asked 4/12, 2014 at 12:53 Answered 28/1, 2020 at 5:10

I followed this tutorial for creating Signed SSL certificates on Windows for development purposes, and it worked great for one of my domains(I'm using hosts file to simulate dns). Then I figured that I have a lot of subdomains, and that would be a pain in the ass to create a certificate for each of them. So I tried creating a certificate using wildcard in Common field as suggested in some of the answers at serverfault. Like this:

Common Name: *.myserver.net/CN=myserver.net

However, after importing this certificate into Trusted Root Certification Authority, I'm getting NET::ERR_CERT_COMMON_NAME_INVALID error in Chrome, for main domain and all of its subodmains, for example: https://sub1.myserver.net and https://myserver.net.

This server could not prove that it is myserver.net; its security certificate is from *.myserver.net/CN=myserver.net.

This may be caused by a misconfiguration or an attacker intercepting your connection.

Is there something wrong in Common Name field that is causing this error?

Headliner answered 4/12, 2014 at 12:53 Comment(1)

Spent much time trying to fix this too. See my answer here #42816718 – Agitate 7/3, 2018 at 11:34

As Rahul stated, it is a common Chrome and an OSX bug. I was having similar issues in the past. In fact I finally got tired of making the 2 [yes I know it is not many] additional clicks when testing a local site for work.

As for a possible workaround to this issue [using Windows], I would using one of the many self signing certificate utilities available.

Recommended Steps:

Create a Self Signed Cert
Import Certificate into Windows Certificate Manager
Import Certificate in Chrome Certificate Manager
NOTE: Step 3 will resolve the issue experienced once Google addresses the bug...considering the time in has been stale there is no ETA in the foreseeable future.**

As much as I prefer to use Chrome for development, I have found myself in Firefox Developer Edition lately. which does not have this issue.

Hope this helps :)

Liberalism answered 15/1, 2015 at 23:6 Comment(5)

The bug you linked to is A) only valid for OS X, and B) concerns domains with a trailing ".", neither of which are valid for @Zed. – Claque 20/3, 2015 at 18:33

Hmm which link would that be? – Liberalism 20/3, 2015 at 18:36

The link to the chromium bug (98627) – Claque 20/3, 2015 at 18:38

Regardless the fix I proposed works on Windows too as I have used it many times. – Liberalism 20/3, 2015 at 18:41

"As much as I prefer to use Chrome for development, I have found myself in Firefox Developer Edition lately. which does not have this issue." couldn't agree more here.. – Stratfordonavon 3/10, 2017 at 4:54

Chrome 58 has dropped support for certificates without Subject Alternative Names.

Moving forward, this might be another reason for you encountering this error.

Olivenite answered 3/5, 2017 at 9:11 Comment(3)

This guide helped me create a self-signed certificate on Mac OSX: alexanderzeitler.com/articles/… – Panaggio 12/6, 2017 at 16:27

despite the error saying nothing about subject alternative names, this fixed my issue. Thanks! – Demodulate 18/7, 2018 at 17:21

Getting a certificate with SAN was initially troublesome for me, also. Some of the answers posted here might also be of some use: https://mcmap.net/q/35970/-how-to-get-ssl-certificate-to-work-with-localhost-on-firefox – Thinnish 14/12, 2022 at 20:19

A workaround is to add the domain names you use as "subjectAltName" (X509v3 Subject Alternative Name). This can be done by changing your OpenSSL configuration (/etc/ssl/openssl.cnf on Linux) and modify the v3_req section to look like this:

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = myserver.net
DNS.2 = sub1.myserver.net

With this in place, not forget to use the -extensions v3_req switch when generating your new certificate. (see also How can I generate a self-signed certificate with SubjectAltName using OpenSSL?)

Pundit answered 12/3, 2015 at 16:45 Comment(11)

The usage of subjectAltName = @alt_names totally solved my issue. I had previously bound the DNS identity to my domain by providing it though CN=*.example.com. Setting DNS.1 = example.com and DNS.2 = *.example.com did the trick. Weird thing (for me) was that it all worked until ~2017-03-17 and stopped a day after (had run a large batch of Windows udates). Nothing broke for me on Linux though, this was only Chrome, Firefox on Windows. – Neilson 18/3, 2017 at 13:33

@bossi: Unfortunately I have this problem on Chrome/Ubuntu. And cert is nothing fancy, single host, single DN (internal GitLab repository). – Brocade 20/3, 2017 at 15:9

It worked a week or so ago, nothing changed on server. 2 other servers started to rant due to upper-lower case mismatch (cert is uppercase, Chrome drops address to lowercase) – Brocade 20/3, 2017 at 15:18

@Neilson I bet your Windows version is on the beta track, right? Chrome has deprecated certs without a subjectAltName as of Chrome 58 which is currently in beta. This bit me hard because not only had I not seen anything about it, but the error name is very misleading (it's not the common name that's invalid!) I was the opposite of you; it happened only on Linux for me so I spent hours trying to fix my local cert store there. – Stink 21/3, 2017 at 1:43

@PawelKraszewski sounds like you also have the same issue; are you on Chrome 58 beta? See my note above; matching on commonName is now removed. – Stink 21/3, 2017 at 1:45

@TobyJ 58.0.3029.19 beta (64-bit) it is. I've regenerated cert tree with correct subjectAltName-s and everything works now. And I agree, the error message is very misleading, as it is not CommonName that is invalid. If the message read "Certificate is missing a proper subjectAltName", everybody would be much more happy. – Brocade 21/3, 2017 at 6:50

@PawelKraszewski well here's the power of open source I suppose, I found the Chromium issue where they discussed this, and complained about the error message being unclear, so they've agreed to make it better (I guess it was actually a bit difficult to change that message from the point where they detected the error): bugs.chromium.org/p/chromium/issues/detail?id=308330 – Stink 21/3, 2017 at 14:8

@PawelKraszewski I'd always go for lower case or lower camelCase for anything config related unless the context prescribes caps explicitly. using `alt_names doesn't work for you? Does the console say anything more specific? – Neilson 22/3, 2017 at 10:23

@TobyJ Yeah you're spot on, I'm on Chrome/beta (58.0.3029.19 currently), Firefox/stable though (52.0.1) on my Win. FF seems to have dropped support for the domain name in the CN field as well. I guess the error message makes sense from a historic point of view if the general change has indeed been from domain identifier in CN field to subjectAltName only but this way it's confusing now. I'm sure it'll get addressed if it's really a recent shift. – Neilson 22/3, 2017 at 10:24

@bossi: as the mixed case issue is on a very sensitive server and I'm the only one peeking at it via browser (this is mainly a REST server for headless devices), I'd rather not touch anything - being aware the message about mismatch is a legit one and certs use a private CA anyway. – Brocade 22/3, 2017 at 15:42

@PawelKraszewski now (v59) when you click on "advanced" while on error page you can read more info about it and there is: incorrect subjectAltName. – Rainy 11/7, 2017 at 12:50

Create openssl.conf file:

[req]
default_bits = 2048
default_keyfile = oats.key
encrypt_key = no
utf8 = yes
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = US
ST = Cary
L = Cary
O  = BigCompany
CN = *.myserver.net

[v3_req]
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = myserver.net
DNS.2 = *.myserver.net

Run this comand:

openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -keyout app.key -out app.crt  -config openssl.conf

Output files app.crt and app.key work for me.

Kafir answered 15/3, 2018 at 8:53 Comment(4)

There is a typo in DNS.1 = *.myserver.net. Should be DNS.2 = *.myserver.net. Works just fine for me. – Tim 22/8, 2018 at 14:46

if you are on windows this can be done using openssl installed with git by using a cmd running as admin and the following location : "C:\Program Files\Git\usr\bin\openssl.exe" req -x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -keyout app.key -out app.crt -config openssl.conf – Jovanjove 31/1, 2019 at 15:19

I wrote CN = localhost, DNS.1 = localhost, DNS.2 = *.localhost:8080 and it is not working for me. What else should I be changing? – Firebreak 11/3, 2019 at 19:2

I haven't been able to get this working. (Chrome still says that the certificates are untrusted.) And I wonder why it says default_keyfile = oats.key. – Kittie 23/6, 2021 at 20:56

Create a Self Signed Cert
Import Certificate into Windows Certificate Manager
Import Certificate in Chrome Certificate Manager
NOTE: Step 3 will resolve the issue experienced once Google addresses the bug...considering the time in has been stale there is no ETA in the foreseeable future.**

As much as I prefer to use Chrome for development, I have found myself in Firefox Developer Edition lately. which does not have this issue.

Hope this helps :)

Liberalism answered 15/1, 2015 at 23:6 Comment(5)

The bug you linked to is A) only valid for OS X, and B) concerns domains with a trailing ".", neither of which are valid for @Zed. – Claque 20/3, 2015 at 18:33

Hmm which link would that be? – Liberalism 20/3, 2015 at 18:36

The link to the chromium bug (98627) – Claque 20/3, 2015 at 18:38

Regardless the fix I proposed works on Windows too as I have used it many times. – Liberalism 20/3, 2015 at 18:41

Your wildcard *.example.com does not cover the root domain example.com but will cover any variant on a sub-domain such as www.example.com or test.example.com

The preferred method is to establish Subject Alternative Names like in Fabian's Answer but keep in mind that Chrome currently requires the Common Name to be listed additionally as one of the Subject Alternative Names (as it is correctly demonstrated in his answer). I recently discovered this problem because I had the Common Name example.com with SANs www.example.com and test.example.com, but got the NET::ERR_CERT_COMMON_NAME_INVALID warning from Chrome. I had to generate a new Certificate Signing Request with example.com as both the Common Name and one of the SANs. Then Chrome fully trusted the certificate. And don't forget to import the root certificate into Chrome as a trusted authority for identifying websites.

Noisette answered 22/6, 2016 at 22:30 Comment(2)

If anyone reading this uses Pantheon for hosting, they seem to reconstitute the common name associated with your cert when you upload it into their platform, creating this problem. You have to test against the custom static IP they give you to see if the cert's common name remained intact during the setup. – Supernova 10/1, 2017 at 18:15

Brilliant! "Your wildcard *.example.com does not cover the root domain example.com but will cover any variant on a sub-domain such as www.example.com or test.example.com." This was precisely the problem in my case. The fix was simply to include both DNS.1 = example.com and DNS.2 = *.example.com under [alt_names] in openssl.cnf. – Robet 10/9, 2017 at 16:23

I think it may be a bug in chrome. There was a similar issue long back: See this.

Try in a different browser. I think it should work fine.

Saucy answered 9/12, 2014 at 6:12 Comment(0)

If you're tired of this error. You can make Chrome not act out like this. I'm not saying it's the best way just saying it's a way.

As a workaround, a Windows registry key can be created to allow Google Chrome to use the commonName of a server certificate to match a hostname if the certificate is missing a subjectAlternativeName extension, as long as it successfully validates and chains to a locally-installed CA certificates.

Data type: Boolean [Windows:REG_DWORD] Windows registry location: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome Windows/Mac/Linux/Android preference name: EnableCommonNameFallbackForLocalAnchors Value: 0x00000001 (Windows), true(Linux), true (Android), (Mac) To create a Windows registry key, simply follow these steps:

Open Notepad Copy and paste the following content into notepad Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome] "EnableCommonNameFallbackForLocalAnchors"=dword:00000001 Go to File > Save as Filename: any_filename.reg Save as type: All Files

Select a preferred location for the file

Click on Save

Double click on the saved file to run

Click on Yes on the Registry Editor warning

Found this information on Symantec support page: https://support.symantec.com/en_US/article.TECH240507.html

Lek answered 18/8, 2017 at 12:34 Comment(1)

It didn't work anymore. But thanks for info. First answer (looking from top of page) that indicated that issue is with Subject Alternative Name – User 27/9, 2022 at 10:52

For everyone who is encountering this and wants to accept the risk to test it, there is a solution: go to Incognito mode in Chrome and you'll be able to open "Advanced" and click "Proceed to some.url".

This can be helpful if you need to check some website which you are maintaining yourself and just testing as a developer (and when you don't yet have proper development certificate configured).

Of course this is NOT FOR PEOPLE using a website in production where this error indicates that there is a problem with website security.

Michealmicheil answered 21/3, 2019 at 10:57 Comment(0)

The answers provided did not work for me (Chrome or Firefox) while creating PWA for local development and testing. DO NOT USE FOR PRODUCTION! I was able to use the following:

Online certificate tools site with the following options:
- Common Names: Add both the "localhost" and IP of your system e.g. 192.168.1.12
- Subject Alternative Names: Add "DNS" = "localhost" and "IP" = <your ip here, e.g. 192.168.1.12>
- "CRS" drop down options set to "Self Sign"
- all other options were defaults
Download all links
Import .p7b cert into Windows by double clicking and select "install"/ OSX?/Linux?
Added certs to node app... using Google's PWA example
- add const https = require('https'); const fs = require('fs'); to the top of the server.js file
- comment out return app.listen(PORT, () => { ... }); at the bottom of server.js file
- add below https.createServer({ key: fs.readFileSync('./cert.key','utf8'), cert: fs.readFileSync('./cert.crt','utf8'), requestCert: false, rejectUnauthorized: false }, app).listen(PORT)

I have no more errors in Chrome or Firefox

Threadgill answered 28/1, 2020 at 5:10 Comment(1)

This works in my angular app. Thanks James. – Atmospherics 18/5, 2021 at 3:0

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags