Fix 'Subject Alternative Name Missing [missing_subjectAltName]' issue in Chrome with Self-Signed Certificates using OpenSSL

After the release of Chrome v58 Common Name (CN) support is removed for SSL Certificates. Instead SSL Certificates required to have Subject Alternative Name (SAN). When you are using Self-Signed Certificates, this becomes a problem if you really want to get rid of the Red Not Secure flag and warnings put out by chrome when you are doing local development and you want to have SSL enabled, especially the Self-Signed Certificates we normally create does not include the Subject Alternative Name (SAN).  The Error you will get is something like this.

Note: You can get rid of the Certificate Error – net:ERR_CERT_AUTHORITY_INVALID error for your self-signed certificate by importing the certificate in to the Trusted Root Certification Authorities in the Manage Certificates section in Chrome (and in other browsers)

Let’s create a Self-Signed Certificate by using OpenSSL that includes Subject Alternative Name (SAN) to get rid of this issue.

Creating the Certificate Authority Root Certificate

We’ll start off with creating the Certificate Authority Root Certificate that we will use later to create the Self-Signed Certificate we need. Here I have given the parameterized commands needed to create the certificates. Copy these commands in to a .cmd file and execute with the necessary command line arguments to create the certificates. This make it easy for you to reuse them at later time.

:: Command line arguments
::      %1 - Root CA certificate name

openssl genrsa -des3 -out %1.key 2048
openssl req -x509 -new -nodes -key %1.key -sha256 -days 1825 -out %1.pem

You need to provide the name for the Root CA Certificate as the command line parameter. This will create a X509 certificate that is valid for 5 years (1825 days). The following screenshot show how the command is executed and what required information needs to be provided.

This command will output 2 files. A private key file (.key) and a Privacy-enhanced Electronic Mail file (.pem) file.  

Creating the Certificate Signing Request (CSR)

Before we create the self-signed certificate, we need to create the Certificate Signing Request (CSR) that we use to create the Self-Signed Certificate. You can use OpenSSL to create the CSR or you can use for example IIS Manager to create the CSR as well. I’ll show both options.

Using OpenSSL to Create the Certificate Signing Request

Copy the following command in to a .cmd file and execute. The command takes two arguments, the name for the .csr file and the name for the private key (.key) file.

:: Command line arguments
::      %1 - Name for the .csr file
::      %2 - Name for the privet key .key file

openssl req -out %1.csr -new -newkey rsa:2048 -nodes -keyout %2.key

Execute the script with the 2 required file names as the arguments. The execution and the required information can be seen in the screenshot below. You can ignore the extra challenge password and the optional company name in this instance.

This will output 2 files, a .csr file with the Certificate Signing Request and a .key file. We can use the .csr file in the next step to create the Self-Signed Certificate for sonar.k2vsoftware.com. Next, we’ll look at creating a CSR using IIS Manager.

Using IIS Manager to Create the Certificate Signing Request

Open up IIS Manager and navigate to the Server Certificates section.

Then click on the Create Certificate Request.. link to start creating the CSR

Fill in the information for the Distinguished Name Properties and click Next. Then Select the Cryptographic Service Provider and Bit Length (Bit Length should match the bit length you use in the OpenSSL command)

Finally set a location to save the CSR file. And click Finish. You’ll need this CSR file for the next step.

Create the Self-Signed Certificate

Now we have the Certificate Signing Request, now we can create the Self-Signed Certificate for the domain we need. (It’s soanr.k2vsoftware.com for me.) Use the following command, copy it to a .cmd file and execute with the necessary arguments.

:: Command line arguments:
::      %1 - Name of the CSR file
::      %2 - Self-Signed cert name
::      %3 - Root CA name
::      %4 - X509 v3 Cert extensions file name

openssl x509 -req -in %1.csr -CA %3.pem -CAkey %3.key -CAcreateserial -out %2.crt -days 1825 -sha256 -extfile %4.ext

The command requires 4 command line arguments, The name of the CSR file we created earlier, Name for the self-signed certificate, the name of the Certificate Authority Root Certificate the file name for X509 v3 certificate extensions file. This extensions file includes the Alternate Names. By default, the command creates X509 v1 certificate. Providing these extensions will create the X509 v3 certificate we require. The extension .ext file should contain the following.

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = sonar.k2vsoftware.com

What’s important is the [alt_names] section where you define your DNS entries which will be used as the Subject Alternative Name (SAN). As the DNS.1 we define the domain we want to use. (in my case its sonar.k2vsoftware.com). Let’s execute the command with the relevant arguments.

You need to provide the password for the CA root certificate when prompted and you will get 2 files as the output. The certificate file .crt and a .crl file which is the Certificate Revocation List file that identifies whether a certificate has been revocated or not.

Now we have created the Self-Signed Certificate we need. What you need to do next is to use the created self-signed certificate in the web application you need. (For ex. Complete the Certificate request created in IIS and use the certificate in the HTTPS binding in one of your applications. Then install the CA Root Certificate in the Trusted Root Certification Authorities section in the Local Computer)

After you have installed the certificate in the application, then you also need to Import the Certificate Authority Root Certificate in to Chrome’s Trusted Root Certification Authorities section (You’ll have to do the same for other browsers as well eg. Firefox). You can use the following command to convert the .pem file we created for CA Root to a .cer file (or .crt file). Copy the following command to a .cmd file and execute with the necessary arguments.

:: Command line arguments
::      %1 - Name of the .pem file
::      %2 - Name of the output .cer file

openssl x509 -outform der -in %1.pem -out %2.cer

You will get a single output from the execution, which is the .cer file we created from .pem file. Import the certificate file in to Chrome to complete the work.

This will complete the work and now you will get the green padlock in the address bar and the warning screen will not appear. That is it for this article, i’ll see you in the next one.