2

I have my internet box provider who offers me a free subdomain to connect to my network, ex: xxxxx.provider.com

I have generated a self-signed certificate for the subdomain foo.provider.com I tried to install it in windows but it does not validate my certificate NET::ERR_CERT_COMMON_NAME_INVALID

Is it possible to generate a self-signed certificate on a subdomain and the main domain name does not belong to us?

Pascal de Sélys
  • 41
  • 3
  • 1
    Are you using Chrome or MSEdge, and did you create the cert to contain SubjectAlternativeName (SAN) _in addition to_ Subject.CommonName? Chrome and new-MSEdge require that, and otherwise give the somewhat misleading error you show. If so dupe https://serverfault.com/questions/1100986/chrome-shows-err-cert-common-name-invalid-when-firefox-is-happy and cross https://security.stackexchange.com/questions/172440/generate-x509-err-cert-common-name-invalid . – dave_thompson_085 Nov 20 '22 at 01:01
  • Thanks it's exactly that I added -addext "subjectAltName = DNS:xxxx.provider.com" and it works perfectly :) – Pascal de Sélys Nov 20 '22 at 11:53

2 Answers2

2

A self signed certificate won't be trusted by any browser. What is the purpose of the certificate? If need a certificate that will work in browsers, you can use Let's Encrypt.

Mircea Vutcovici
  • 17,619
  • 4
  • 56
  • 83
2

The comment to my post by dave_thompson_085 helped me solve this,

I added -addext "subjectAltName = DNS:xxxx.provider.com" and reimported the certificate into windows and it works fine now

Here is the command I used to generate my self-signed certificate

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -addext "subjectAltName = DNS:xxxx.provider.com" -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

I then answered Common Name (e.g. server FQDN or YOUR name) []: xxxx.provider.com

I then imported the certificate into my certificate manager in windows and it worked

Pascal de Sélys
  • 41
  • 3