Since Chrome version 58, Chrome requires SSL certificates to use SAN (Subject Alternative Name) instead of the popular Common Name (CN), then CN support has been not available. that issue impact for self cert. this issue related from generate ssl using x509v3 in this version x509v3 use Subject Alternative Name.
- generate start_lanxic.cool.csr
$ openssl req -new -key star_lanxic.cool.key -out star_lanxic.cool.csr -subj "/C=ID/ST=Bali/L=Denpasar/O=LanxicMyid/OU=lanxic Development/CN=*.lanxic.cool/emailAddress=lanxic@gmail.com" - create file config v3.ext
$ vi v3.ext authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = *.lanxic.coolfor more detail about that extention x509v3 config
-
generate new start_lanxic certificate.
$ openssl x509 -req -in star_lanxic.cool.csr -CA LanxicRootCA.crt -CAkey LanxicRootCA.key -CAcreateserial -out star_lanxic.cool.crt -days 730 -sha256 -extfile v3.ext - check different thats generate certificate if we can check now different thats generate certificate.
alex@Alex-Laptop:/etc/nginx/ssl$ openssl x509 -text -in star_lanxic.cool.crtx -noout Certificate: Data: Version: 1 (0x0) Serial Number: 10440550123851985228 (0x90e449056fdbb14c) Signature Algorithm: sha256WithRSAEncryption Issuer: C=ID, ST=jkt, L=jkt, O=LanxicMyId, OU=devops, CN=lanxic.cool/emailAddress=lanxic@gmail.com Validity Not Before: Dec 9 15:32:16 2016 GMT Not After : Dec 9 15:32:16 2018 GMT Subject: C=ID, ST=JAKARTA, L=Denpasar, O=LanxicMyId, OU=Lanxic Development, CN=*.lanxic.cool/emailAddress=lanxic@gmail.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a3:e1:d5:6f:0a:f1:66:4e:91:f5:c2:2c:a4:70: ... 67:c1 Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption bc:bb:be:9f:e7:fb:29:70:fc:07:8c:02:d8:a4:19:ea:a0:28: ... 2b:ca:48:66that old certificate still using version 1. now we check new certificate using version3.
alex@Alex-Laptop:/etc/nginx/ssl$ openssl x509 -text -in star_lanxic.cool.crt -noout Certificate: Data: Version: 3 (0x2) Serial Number: 10440550123851985231 (0x90e449056fdbb14f) Signature Algorithm: sha256WithRSAEncryption Issuer: C=ID, ST=jkt, L=jkt, O=LanxicMyId, OU=devops, CN=lanxic.cool/emailAddress=lanxic@gmail.com Validity Not Before: Apr 25 05:39:31 2017 GMT Not After : Apr 25 05:39:31 2019 GMT Subject: C=ID, ST=Bali, L=Denpasar, O=LanxicMyid, OU=lanxic Development, CN=*.lanxic.cool/emailAddress=lanxic@gmail.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a3:e1:d5:6f:0a:f1:66:4e:91:f5:c2:2c:a4:70: ... 67:c1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:C8:9C:F4:BLBLBL:74:98:D9:95:24:BLANABLLBLAL X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Subject Alternative Name: DNS:*.lanxic.cool Signature Algorithm: sha256WithRSAEncryption a1:98:82:c1:36:58:fa:c5:07:6f:a9:f8:a8:98:2d:00:41:a6: ... 4d:7a:e3:d8now u can see thats version now is version v3 ans see
X509v3 Subject Alternative Nameavailable now.
References:
– https://groups.google.com/a/chromium.org/forum/#!topic/chromium-reviews/5K_q_PbQ11E
– https://www.thesslstore.com/blog/security-changes-in-chrome-58/
– https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#Subject-Alternative-Name
– https://bugs.chromium.org/p/chromium/issues/detail?id=700595&desc=2
