I have generated the self signed certificate with subject alternate names for alias server and IP address. I have imported the certificate into Windows Trusted certificate authorities. Chrome accepts the certificate for URL from SAN but rejects URL stated in Subject.
OpenSSL:
openssl req -x509 -newkey rsa:4096 -sha256 -days 999 -nodes \
-keyout nginx.key -out nginx.crt -subj '/CN= \
-extensions san \
-config <(echo '[req]'; echo 'distinguished_name=req'; echo '[san]'; echo 'subjectAltName=DNS:X.eu,DNS:re1.X.eu,DNS:10.105.1.11')The certificate:
Subject: CN =
Subject Alternative Name: DNS Name=sandbox.X.eu DNS Name=re1.X.eu DNS Name=10.105.1.11This URL fails with "This site is missing a valid, trusted certificate (net::ERR_CERT_COMMON_NAME_INVALID)."
Chrome accept this URL:
Where is the problem?
21 Answer
In HTTPS, the CN field is not merged with subjectAltName – rather, it is completely ignored when the SAN extension has any domains in it. So whatever domain you have in the CN you must add to SAN as well.
In fact you could even leave out CN from the Subject entirely, as all TLS clients support SAN.
RFC 2818: HTTP Over TLS, section 3.1 "Server Identity":
If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used.
