I have been happily using self signed certificates for locally hosted sites running on apache2 for a couple of years. Today one of those certificates expired – no biggie, I recreated it and replaced the cert in my keychain. However, Chrome is now giving me an error when I try to visit the site:
Certificate Error
There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).
So I thought maybe the cert I had generated was dodgy. But no – all of my other (unexpired) self signed certs have stopped working too! Is it a coincidence? I don't know.
I thought maybe it didn't like my 'common name' (which was com06, e.g. https://com06/) so I tried with com06.dev. No luck!
What is going on?
Certs generated with
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout server.key -out server.crt
Added to keychain with
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain server.crt
- macOS 10.11.6
- Chrome v58.0.3029.33 beta (64-bit)
Self signed certs are accepted by Safari, this is only a problem with Chrome
Update
As of Chrome v58.0.3029.41 beta, I get this helpful error message in the developer tools:
Subject Alternative Name Missing
The certificate for this site does not contain a Subject Alternative
Name extension containing a domain name or IP address.
Best Answer
You can temporarily disable the SAN enforcement using the EnableCommonNameFallbackForLocalAnchors policy, see this page for details. This will allow you to reissue your certificates when time allows it.
On OSX this can be achieved using the following command: