TLS Certificate and its SAN name

Zhimin Wen
3 min readApr 3, 2022
Image by David Mark from Pixabay

I was requested to import a company Certificate Authority (CA) signed certificate to replace the default self-signed cert of an appliance. The appliance is able to generate the Certificate Signing Request (CSR) file; We submit the CSR to CA, get the CA-signed cert, and import it into the appliance. Everything is smooth.

However, when we examine the HTTPS webpage from Chrome, even the root CA and the intermediate CA are installed in the local workstation, Chrome complains about the “ERR_CERT_COMMON_NAME_INVALID”…

Simulating the Certificate Generation

Let's mockup the process of certificate generation. The command line listed is all non-interactive for automation purposes.

  1. Create a CA
openssl genrsa -out myca.key 4096openssl req -x509 -new -key myca.key -out myca.pem -sha256 -subj '/CN=myca'

2. Generate a CSR

openssl genrsa -out dp.key 4096openssl req -new -key dp.key -out dp.csr -subj '/CN=myserver.xyz.com'

3. CA sign and create the cert

openssl x509 -req -in dp.csr -sha256 -CA myca.pem -CAkey myca.key -CAcreateserial -days 365 -out dp.crt

Test the certificate with Chrome

Let’s run the following quick golang HTTPS handler to test the TLS certificate.

package mainimport (
"fmt"
"net/http"
"time"
)
func greet(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Hello World! %s", time.Now())
}
func main() {
http.HandleFunc("/", greet)
http.ListenAndServeTLS(":8080", "dp.crt", "dp.key", nil)
}

Import the CA into the local system. On my Macbook, use the “KeyChain Access” to import myca.pem, and make it trusted by all users.

Update /etc/hosts file to append the server name myserver.xyz.com in the entry of 127.0.0.1.

When browsing to https://myserver.xyz.com

--

--