chrome not trust https and show ERR_SSL_SERVER_CERT_BAD_FORMAT

Question

I follow this page to create my SSL Certificate.
And I have use openssl create rootCA and server Certificates.

But in chrome it show this page. image here
Openssl command is follow by this:

"[Apache install path]\bin" openssl genrsa -des3 -out rootCA.key 2048
"[Apache install path]\bin" openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3560 -extensions v3_req -out rootCA.pem

Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taiwan
Locality Name (eg, city) []:Taipei
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CR
Organizational Unit Name (eg, section) []:IT section 
Common Name (eg, server FQDN or YOUR name) []:localhost
Email Address []:cr@localhost

And install rootCA.pem to OS Trusted Certificate.(my OS is windows 10)
Then generate CSR:

set OPENSSL_CONF=[Apache install path]\conf\openssl.cnf (This is apache default)
openssl genrsa -out server.key 2048

only Common Name different to rootCA, which is set "html_12".

openssl req -new -key server.key -out server.csr 
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -sha256 -extensions v3_req

And Apache Setting in httpd-ssl.conf:

SSLCertificateFile "D:/xampp/Apache2.2_win32/conf/server.crt" 
SSLCertificateKeyFile "D:/xampp/Apache2.2_win32/conf/server.key"

In the httpd-vhosts.conf is same:

<VirtualHost *:80>
    DocumentRoot "E:/PHP_TEST"
    ServerName html_12
    ErrorLog "logs/html_12M-error.log"
    CustomLog "logs/html_12M-access.log" common
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
    SSLCertificateFile "D:/xampp/Apache2.2_win32/conf/server.crt"
    SSLCertificateKeyFile "D:/xampp/Apache2.2_win32/conf/server.key"
    SSLCACertificateFile "D:/xampp/Apache2.2_win32/conf/rootCA.pem"
</VirtualHost>

this is happen after update chrome to 61.0.3163.79, I dont know this is if it's related to chrome.

Before I update it just show "Your connection is not private", I can click "advance" continue my work.

I am also setting chrome://flags/#allow-insecure-localhost,Allow invalid certificates for resources loaded from localhost. Enable
But still have same question.

Can I do any Else to trust my localhost certificate?

Answer 1

If you have the original .csr and private key of the original certificate you can solve it only by changing openssl.conf

You add this to the file:

[alt_names]
DNS.1=html_12

... and you can generate the certificate again:

openssl x509 -signkey private.key -in request.csr -req -days 365 -out cert-newcert.cer

Answer 2

I have solve this question.

I have to create a file v3.ext in same root with openssl.

File content:

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = TW
ST = Taiwan
L = Taipei
O = CR
OU = It
CN = html_12
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=html_12

Then execute command line to generate key & crt file:

openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -keyout server.key -out server.crt -config v3.ext -extensions v3_req

Then put files in apache.
It works.