After Chrome 58, self-signed certificate without SAN is not valid anymore.
openssl genrsa -des3 -out example.com.key 2048openssl req -new -key example.com.key -out example.com.csrEnter pass phrase for example.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:XX
State or Province Name (full name) []:State
Locality Name (eg, city) [Default City]:City
Organization Name (eg, company) [Default Company Ltd]:Company
Organizational Unit Name (eg, section) []:BU
Common Name (eg, your name or your server's hostname) []:*.example.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
cp example.com.key example.com.key.org
openssl rsa -in example.com.key.org -out example.com.keytouch v3.extFile content
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:TRUE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
subjectAltName = DNS:example.com, DNS:*.example.com
issuerAltName = issuer:copy
openssl x509 -req -in example.com.csr -signkey example.com.key -out example.com.crt -days 3650 -sha256 -extfile v3.ext
Thank you very much! There's so many contradictory and incomplete posts and comments... But this one is the best.
For those who stumble upon problems with IP address (error like
No subject alternative names matching IP address ... found,- you need to add it as well tosubjectAltName. But the key should be "IP" instead of "DNS" (not "IPAddress", or you get error likeunsupported option:crypto/x509/v3_san.c:632:name=IPAddress)