Issuer: C = US, ST = Massachusetts, L = Boston, O = M圜ompany $ openssl x509 -text -noout -in server.crt Inspect the result, the Subject Alt Name is missing: $ openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt Signature Algorithm: sha256WithRSAEncryptionīut then if you generate the certificate using the command in heroku link and Subject: C = US, ST = Massachusetts, L = Boston, O = M圜ompany $ openssl req -text -noout -in server.csr The result, the Subject Alt Name is present: $ openssl req -new -key server.key -out server.csr -config config.cnf -sha256 If you generate your certificate request using this command you gave and inspect Request not a certificate itself, so the -days command does nothing. In addition, the command as written only generates a certificate If you want to use them you must add prompt = no Pretty non-intuitive some times so it is worth walking through.įirst, as an aside, OpenSSL defaults to ignoring any distinguished name values
OPENSSL CONFIG HOW TO
There are several great answers that give examples of how to get this working,īut none that explain where things went wrong in your attempt. Openssl req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout %HOSTNAME%.key -days 3560 -out %HOSTNAME%.crt -config %HOSTNAME%.cnf
OPENSSL CONFIG UPDATE
REM PLEASE UPDATE THE FOLLOWING VARIABLES FOR YOUR NEEDS. REM REMEMBER TO RESTART APACHE OR NGINX AFTER YOU CONFIGURE FOR THESE FILES crt FILE INTO CHROME Trusted Root Certification Authorities
REM IT WILL CREATE THESE FILES: example.cnf, example.crt, example.key REM AT COMMAND LINE IN YOUR SSL FOLDER, RUN: makecert REM IN YOUR SSL FOLDER, SAVE THIS FILE AS: makeCERT.bat
It will create these files: example.cnf, example.crt, example.key off In Windows, save this script in your SSL folder as makeCERT.bat. Tested on Debian/Apache2.4 + Debian/Chromium 59 Header always set Strict-Transport-Security "max-age=0 includeSubDomains" In other words – having to disable HSTS will allow your site to be publicly viewed over HTTP and/or insecure HTTPS connection (beware!).įor Apache2 add the following to site-file, HTTP (port 80) section Header unset Strict-Transport-Security
OPENSSL CONFIG INSTALL
This will prevent Chromium from enforcing HTTPS and will allow users to click “Advanced → proceed to your.url (unsafe)” without having to obtain and install your custom CA (server_rootCA.pem) certificate. Instead of creating a functional CA & server cert pair (per the instructions above) you could simply disable HSTS headers in your HTTP server config. KeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEnciphermentĬreate server key # openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config Setting -> (Advanced) Manage Certificates -> Import -> 'server_rootCA.pem' # openssl req -x509 -new -nodes -key server_rootCA.key -sha256 -days 3650 -out server_rootCA.pemĬreate server_ # server_Ĭreate v3.ext configuration file # v3.ext However, after this I still get the ERR_CERT_COMMON_NAME_INVALID in Chrome 58.Ĭreate CA key and cert # openssl genrsa -out server_rootCA.key 2048 With the exception of the config file to set the SAN value these were similar steps I used in prior versions of Chrome to generate and trust the self-signed cert. I'm on a Mac, so I opened the server.crt file with Keychain, added it to my System Certificates. Then generated the server.crt with the following command: openssl req \ I then wrote a new OpenSSL config file: ĭistinguished_name = req_distinguished_name I followed the steps on the above mentioned Heroku article to generate the key. I now need to generate new certs that include the SAN however all of my attempts to do so have not worked with Chrome 58. I have been previously following this guide on how to generate a self-signed cert: which worked great because I required the server.crt and server.key files for what I'm doing. Instead it requires using Subject Alt Name. As of Chrome 58 it no longer accepts self-signed certs that rely on Common Name: !topic/chrome/zVo3M8CgKzQ context-place=topicsearchin/chrome/category$3ACanary%7Csort:relevance%7Cspell:false
0 kommentar(er)
