Creating self signed certificate for domain and subdomains - NET::ERR_CERT_COMMON_NAME_INVALID

I followed this tutorial for creating Signed SSL certificates on Windows for development purposes, and it worked great for one of my domains(I'm using hosts file to simulate dns). Then I figured that I have a lot of subdomains, and that would be a pain in the ass to create a certificate for each of them. So I tried creating a certificate using wildcard in Common field as suggested in some of the answers at serverfault. Like this:

Common Name: *.myserver.net/CN=myserver.net

However, after importing this certificate into Trusted Root Certification Authority, I'm getting NET::ERR_CERT_COMMON_NAME_INVALID error in Chrome, for main domain and all of its subodmains, for example: https://sub1.myserver.net and https://myserver.net.

> This server could not prove that it is myserver.net; its security certificate is from *.myserver.net/CN=myserver.net.

> This may be caused by a misconfiguration or an attacker intercepting your connection.

Is there something wrong in Common Name field that is causing this error?

Chrome 58 has dropped support for certificates without Subject Alternative Names.

Moving forward, this might be another reason for you encountering this error.

A workaround is to add the domain names you use as "subjectAltName" (X509v3 Subject Alternative Name). This can be done by changing your OpenSSL configuration (/etc/ssl/openssl.cnf on Linux) and modify the v3_req section to look like this:

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = myserver.net
DNS.2 = sub1.myserver.net

With this in place, not forget to use the -extensions v3_req switch when generating your new certificate. (see also https://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-signed-certificate-with-subjectaltname-using-openssl)

As Rahul stated, it is a common Chrome and an OSX bug. I was having similar issues in the past. In fact I finally got tired of making the 2 [yes I know it is not many] additional clicks when testing a local site for work.

As for a possible workaround to this issue [using Windows], I would using one of the many self signing certificate utilities available.

Recommended Steps:

1. Create a Self Signed Cert
2. Import Certificate into Windows Certificate Manager
3. Import Certificate in Chrome Certificate Manager
   NOTE: Step 3 will resolve the issue experienced once Google addresses the bug...considering the time in has been stale there is no ETA in the foreseeable future.**
   
   As much as I prefer to use Chrome for development, I have found myself in Firefox Developer Edition lately. which does not have this issue.
   
   Hope this helps :)

Create openssl.conf file:

[req]
default_bits = 2048
default_keyfile = oats.key
encrypt_key = no
utf8 = yes
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = US
ST = Cary
L = Cary
O  = BigCompany
CN = *.myserver.net

[v3_req]
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = myserver.net
DNS.2 = *.myserver.net

Run this comand:

openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -keyout app.key -out app.crt  -config openssl.conf

Output files app.crt and app.key work for me.

Your wildcard *.example.com does not cover the root domain example.com but will cover any variant on a sub-domain such as www.example.com or test.example.com

The preferred method is to establish Subject Alternative Names like in Fabian's Answer but keep in mind that Chrome currently requires the Common Name to be listed additionally as one of the Subject Alternative Names (as it is correctly demonstrated in his answer). I recently discovered this problem because I had the Common Name example.com with SANs www.example.com and test.example.com, but got the NET::ERR_CERT_COMMON_NAME_INVALID warning from Chrome. I had to generate a new Certificate Signing Request with example.com as both the Common Name and one of the SANs. Then Chrome fully trusted the certificate. And don't forget to import the root certificate into Chrome as a trusted authority for identifying websites.

I think it may be a bug in chrome. There was a similar issue long back: See this.

Try in a different browser. I think it should work fine.

For everyone who is encountering this and wants to accept the risk to test it, there is a solution: go to Incognito mode in Chrome and you'll be able to open "Advanced" and click "Proceed to some.url".

This can be helpful if you need to check some website which you are maintaining yourself and just testing as a developer (and when you don't yet have proper development certificate configured).

Of course this is NOT FOR PEOPLE using a website in production where this error indicates that there is a problem with website security.

The answers provided did not work for me (Chrome or Firefox) while creating PWA for local development and testing. DO NOT USE FOR PRODUCTION! I was able to use the following:

1. Online certificate tools site with the following options:
   • Common Names: Add both the "localhost" and IP of your system e.g. 192.168.1.12
   • Subject Alternative Names: Add "DNS" = "localhost" and "IP" = <your ip here, e.g. 192.168.1.12>
   • "CRS" drop down options set to "Self Sign"
   • all other options were defaults
2. Download all links
3. Import .p7b cert into Windows by double clicking and select "install"/ OSX?/Linux?
4. Added certs to node app... using Google's PWA example
   • add const https = require('https'); const fs = require('fs'); to the top of the server.js file
   • comment out return app.listen(PORT, () => { ... }); at the bottom of server.js file
   • add below https.createServer({ key: fs.readFileSync('./cert.key','utf8'), cert: fs.readFileSync('./cert.crt','utf8'), requestCert: false, rejectUnauthorized: false }, app).listen(PORT)

I have no more errors in Chrome or Firefox

If you're tired of this error. You can make Chrome not act out like this. I'm not saying it's the best way just saying it's a way.

> As a workaround, a Windows registry key can be created to allow Google Chrome to use the commonName of a server certificate to match a hostname if the certificate is missing a subjectAlternativeName extension, as long as it successfully validates and chains to a locally-installed CA certificates. > > Data type: Boolean [Windows:REG_DWORD] > Windows registry location: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome > Windows/Mac/Linux/Android preference name: EnableCommonNameFallbackForLocalAnchors > Value: 0x00000001 (Windows), true(Linux), true (Android), (Mac) > To create a Windows registry key, simply follow these steps: > > Open Notepad > Copy and paste the following content into notepad > Windows Registry Editor Version 5.00 > > [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome] > "EnableCommonNameFallbackForLocalAnchors"=dword:00000001 > Go to File > Save as > Filename: any_filename.reg > Save as type: All Files > > Select a preferred location for the file > > Click on Save > > Double click on the saved file to run > > Click on Yes on the Registry Editor warning

Found this information on Symantec support page: https://support.symantec.com/en_US/article.TECH240507.html