Fixing Chrome 58 – NET::ERR_CERT_AUTHORITY_INVALID error

As of Chrome 58 SSL certificates must have a “Subject Alternative Name” (SAN) field, “Common Name” (CN) is not sufficient anymore. This breaks many self signed certificates on dev machines.

If you previously had a working self signed certificate and now you see the “NET::ERR_CERT_AUTHORITY_INVALID” error, these steps should fix the issue:

1. Remove the old self signed certificate from Chrome

  • Settings
  • Search for “Certificate” in the search box
  • Click on: “Mange Certificates”
  • Navigate to: “Authorities”
  • Find your certificate in the list
  • Delete

2. Create a new certificate

Locate your openssl.cnf. On Arch it’s located in /etc/ssl/openssl.cnf

Then execute:

(cat /etc/ssl/openssl.cnf; echo '[SAN]\') > /tmp/openssl.cnf

This will generate a temporary OpenSSL config file with subject alternative name for (adjust accordingly).

sudo openssl req -newkey rsa:4096 -keyout example.key -x509 -nodes -out example.crt -subj / -reqexts SAN -extensions SAN -config /tmp/openssl.cnf -days 3650

This will generate example.key and example.crt. Copy these into the appropriate location for your web server and restart the web server.

3. Add certificate to user cert db

certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n example.crt -i example.crt 

This step makes it unnecessary to import the certificate in Chrome. Chrome will trust certificates from the user cert db.

4. Restart Chrome

Just closing the browser window might not be sufficient. Make sure that there are no remaining Chrome instances.

An alternative quick and dirty workaround is to start Chrome with the –ignore-certificate-errors command line switch.

For additional info these Stack Overflow threads might be helpful: 1, 2


You might need to delete previously cached HSTS settings in Chrome. You can do so by deleting the settings for a domain on Chrome’s HSTS settings page: chrome://net-internals/#hsts

I'm available for contracting work. Check out my LinkedIn profile and my portfolio page for an overview of my skills and experience. If you are interested in working with me please use the contact form to get in touch.

Fixing Chrome 58 – NET::ERR_CERT_AUTHORITY_INVALID error

Leave a Reply

Your email address will not be published. Required fields are marked *