Thursday, 30 November 2017

Creating Certificates - Google Chrome issue

Here's some tips for you if you are creating your own server certificates.

Google Chrome requires your certificate have a SAN - Subject Alternative Name entry even if the certificate is only going to have a single name. You therefore need to add the main i.e. sole name as a SAN entry as well.

Note: If your certificate genuinely needs two or more names i.e. the main plus additional ones you should always add the main as a SAN entry along with the additional names.

For example lets say your certificate is for your certificate would have a main name of and a DNS type SAN entry also of

Safari does not complain if you don't have a SAN entry but Google Chrome does.

I personally find using the free XCA tool far easier to work with especially with regards to adding SAN entries than trying to do this via the command line with openssl. XCA is a Java app that acts as a front-end to openssl. See

You can either use XCA to just create the CSR - Certificate Signing Request and include the SAN entries in the CSR or you can use it to create self-signed certificates completely also with SAN entries.

Note: Apple's Keychain Access tool does not let you define SAN entries.

No comments:

Post a Comment