TLS Certificate and its SAN name

Image by David Mark from Pixabay

I was requested to import a company Certificate Authority (CA) signed certificate to replace the default self-signed cert of an appliance. The appliance is able to generate the Certificate Signing Request (CSR) file; We submit the CSR to CA, get the CA-signed cert, and import it into the appliance. Everything is smooth.

However, when we examine the HTTPS webpage from Chrome, even the root CA and the intermediate CA are installed in the local workstation, Chrome complains about the “ERR_CERT_COMMON_NAME_INVALID”…

Simulating the Certificate Generation

Let's mockup the process of certificate generation. The command line listed is all non-interactive for automation purposes.

1. Create a CA

openssl genrsa -out myca.key 4096
openssl req -x509 -new -key myca.key -out myca.pem -sha256 -subj '/CN=myca'

2. Generate a CSR

openssl genrsa -out dp.key 4096
openssl req -new -key dp.key -out dp.csr -subj '/CN=myserver.xyz.com'

3. CA sign and create the cert

openssl x509 -req -in dp.csr -sha256 -CA myca.pem -CAkey myca.key -CAcreateserial -days 365 -out dp.crt

Test the certificate with Chrome