Reputation: 2902
What is the correct way to generate a selfsigned cert for *.localhost ('wildcard')
I can't for the life of me get chrome to work with a wildcard cert ("*.localhost")
Here is what I'm doing to generate said cert.
First I gen my ca
openssl genrsa -out priv/cert/ca.key 2048
openssl req -new -x509 -nodes -subj "/C=US/O=_Development \
CA/CN=Development certificates" -key priv/cert/ca.key -sha256 \
-days 3650 -out priv/cert/ca.crt
Then I gen my localhost
openssl genrsa -out priv/cert/localhost.key 2048
openssl req -new -subj "/C=US/O=Local Development/CN=*.localhost" -key \
priv/cert/localhost.key -out priv/cert/localhost.csr
Then I make my ext file
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[req]
req_extensions = req_ext
[req_distinguished_name]
commonName_default = localhost
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.localhost
DNS.2 = foo.localhost
DNS.3 = localhost
Then I sign.
openssl x509 -req \
-in priv/cert/localhost.csr \
-extfile priv/cert/localhost.ext \
-CA priv/cert/ca.crt \
-CAkey priv/cert/ca.key \
-CAcreateserial \
-out priv/cert/localhost.crt \
-days 365 \
-sha256
After trusting my crt and navigate locally to say localhost or foo.localhost I get all green but if I go to say bar.localhost the wild card does not work and I get a NET::ERR_CERT_COMMON_NAME_INVALID on chrome.
what am I missing here. I've addressed the Subject Alternative Name, I've ruled out that SAN via foo works. Common name does not even matter anymore from what I read. I'm at a loss.
Upvotes: 2
Views: 6721
Answers (1)
Reputation: 123320
TL;DR: Browsers will not accept *.localhost in a certificate.
In *.localhost the localhost suffix is treated as a top level domain (TLD) and wildcards directly below a TLD are not allowed. The idea behind this is basically that no single organization actually owns a TLD like com and thus allowing a certificate for *.com would be pretty dangerous. Therefore *.localhost will not be accepted, while *.foo.localhost will.
For more on this see Wildcard *.localhost SSL with Nginx and Chrome and Can a wildcard SSL certificate be issued for a second level domain?.
Upvotes: 10
Related Questions
- Getting Chrome to accept self-signed localhost certificate
- How can I create a self-signed cert for localhost?
- How to create a self-signed (or signed by own CA) SSL certificate for IP address that pass Chrome requirements
- How to trust self-signed localhost certificates on Linux Chrome and Firefox
- Chrome accept self-signed localhost certificate
- Self Signed Certificate for localhost
- How do I create my own wildcard certificate on Linux?
- Ignore wildcard Self-Sign Certificate warning only once for multiple domains in my local browser
- Self-signed SSL cert for localhost, how to make trusted
- Non-TLD wildcard in SAN for self-signed ssl cert