Reputation: 4481
Getting net::ERR_CERT_COMMON_NAME_INVALID
I'm getting this error on Chrome (v 59.0.3071.109), I have tried a couple of answers without any luck.
This is what shows in the security tab:
The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address
There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).
I followed this tutorial to create the certificate with this values:
CN = localhost
OU = ort
O = ort
L = montevideo
S = MVD
C = UY
And this is my host https://localhost:8181/Gateway-war/
So far I have tried:
- Enabling this flag
chrome://flags/#allow-insecure-localhost - Adding this
--ignore-certificate-errorsto the Chrome Shortcut, it shows a message saying this command isn't allowed because it affects security and stability - Using this workaround:
reg add HKLM\Software\Policies\Google\Chrome /v EnableCommonNameFallbackForLocalAnchors /t REG_DWORD /d 1
In all the cases I restarted Chrome before trying it out.
Maybe my CN should be something more than localhost?
Any ideas are welcome
Upvotes: 7
Views: 33967
Answers (2)
Reputation: 131
You need to create a certificate with the "Subject Alternative Name". If using windows one can use PowerShell. The cerificate will be stored in the windows register. You can access the certificates via certml.msc which can then be exported to a drive in certmgr.msc. An example of a certificate with "Subject Alternative Name" is bellow by using the TextExtension parameter on New-SelfSignedCertificate.
New-SelfSignedCertificate -CertStoreLocation cert:\LocalMachine\My -NotAfter (Get-Date).AddYears(10) -FriendlyName "My Network Name" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -TextExtension @("2.5.29.17={text}dns=*.example.com&ipaddress=192.168.1.1")
Upvotes: 4
Reputation: 4830
When you have configured your certificate right, you don't have to do all those workarounds to make it work. All you have to do is to add the SubjectAltName extension in your certificate to make the browser happy.
I assume you must be using a self-signed certificate. If so, your certificate must look like this for the 'SubjectAltName' extension. You could use the keystore-explorer (opensource GUI for keytool) to generate your certificate like this:
If it is a CA signed, you need to make sure you send these extension attributes in your CSR.
Upvotes: 5
Related Questions
- Can't use www.google.com NET::ERR_CERT_COMMON_NAME_INVALID SSL certificate is not valid
- How to resolve this "NET::ERR_CERT_COMMON_NAME_INVALID" exception in Selenium Java?
- glassfish SSLHandshakeException: Received fatal alert: unknown_ca
- NET::ERR_CERT_COMMON_NAME_INVALID after update to Chrome 44
- Why this certificate error in Glassfish 4.1?
- Cannot setup SSL with Glassfish
- SSL certificate imported on Glassfish Server, but the browser is showong error for https URL
- java.lang.RuntimeException: java.lang.IllegalStateException: IIOP1004: Key alias s1as not found in keystore
- Glassfish 3 and import signed SSL certificate issue
- glassfish v3 "unable to find valid certification path to requested target"