As of Chrome 58 SSL certificates must have a “Subject Alternative Name” (SAN) field, “Common Name” (CN) is not sufficient anymore. This breaks many self signed certificates on dev machines.
If you previously had a working self signed certificate and now you see the “NET::ERR_CERT_AUTHORITY_INVALID” error, these steps should fix the issue:
1. Remove the old self signed certificate from Chrome
- Search for “Certificate” in the search box
- Click on: “Mange Certificates”
- Navigate to: “Authorities”
- Find your certificate in the list
2. Create a new certificate
Locate your openssl.cnf. On Arch it’s located in /etc/ssl/openssl.cnf
(cat /etc/ssl/openssl.cnf; echo '[SAN]\nsubjectAltName=DNS:example.com') > /tmp/openssl.cnf
This will generate a temporary OpenSSL config file with subject alternative name for example.com (adjust accordingly).
sudo openssl req -newkey rsa:4096 -keyout example.key -x509 -nodes -out example.crt -subj /CN=example.com -reqexts SAN -extensions SAN -config /tmp/openssl.cnf -days 3650
This will generate example.key and example.crt. Copy these into the appropriate location for your web server and restart the web server.
3. Add certificate to user cert db
certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n example.crt -i example.crt
This step makes it unnecessary to import the certificate in Chrome. Chrome will trust certificates from the user cert db.
4. Restart Chrome
Just closing the browser window might not be sufficient. Make sure that there are no remaining Chrome instances.
An alternative quick and dirty workaround is to start Chrome with the –ignore-certificate-errors command line switch.
You might need to delete previously cached HSTS settings in Chrome. You can do so by deleting the settings for a domain on Chrome’s HSTS settings page: chrome://net-internals/#hsts