1

I'm running my own CA. My new cert's desired CSR has CN papaya. I'm looking to add some local domain structure with subjectAltName, but browsers are rejecting the added domains.

This is my openssl.cnf used for signing:

[req]
default_md = sha256
req_extensions = v3_req

[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = papaya
DNS.2 = *.papaya
DNS.3 = localhost

Connecting to https://localhost or https://whatever.papaya then makes Firefox 45 puke with

localhost uses an invalid security certificate.
The certificate is only valid for the following names: papaya, *.papaya, localhost 
Error code: SSL_ERROR_BAD_CERT_DOMAIN

I'd say this is some confusing stuff, since the error message seems to indicate everything is correct. Only https://papaya works though.

To add to the confusion, on Chrome 49, https://localhost also works. Unfortunately https://whatever.papaya still does not.

I've used this exact procedure to output multiple real-world FQDN certs, but never for local single word domains, hence the confusion.

What am I missing?

lkraav
  • 786
  • 1
  • 8
  • 22
  • More http://security.stackexchange.com/questions/6873/can-a-wildcard-ssl-certificate-be-issued-for-a-second-level-domain/ – lkraav Mar 10 '16 at 20:16
  • The solution to my problem is likely going to be creating a parallel local "throwaway" CA, that makes it easy to add new domains. My master CA is attached to a smart card, which may be too inconvenient to use for this purpose. – lkraav Mar 10 '16 at 20:24
  • And finally, http://xca.sourceforge.net is a great piece of certificate and authority management software. – lkraav Mar 10 '16 at 23:24

0 Answers0