Self-signed SSL certificates in Chrome 58

Since Let's Encrypt, encrypted web pages have become standard nowadays. SSL certificates are also indispensable for local development (for example, navigator.geolocation requires SSL encryption locally as well). Since version 58 of Chrome, support for CN (Common Name) has been abandoned and SAN (Subject Alternative Name) has been made mandatory instead. As a result, Chrome suddenly no longer accepts all SSL certificates created in the traditional way.


Self-signed SSL certificates in Chrome 58

You can use online tools like ZeroSSL to create certificates or use start parameters like --ignore-certificate-errors or the flag chrome: // flags / # allow-insecure-localhost to get Chrome to work without valid certificates; However, we want to use OpenSSL to create locally self-signed certificates that contain SAN and are fully accepted by Chrome. This one-liner takes care of everything necessary (only www.tld.local has to be exchanged for the desired domain):

61b7be9883ad31712c52a59252a4c9c4

Since OpenSSL unfortunately has no direct arguments to specify SAN, a config file is first created, OpenSSL is called with it and the file is then deleted. Windows users can also simply execute this command either with the help of Cygwin (and bash -c "...") or with the new WSL. The two resulting files www.tld.local.key and www.tld.local.cert can then be selected e.g. in MAMP:

Self-signed SSL certificates in Chrome 58

Windows users then load the following under "Manage User Certificates" (certmgr) into the "Trusted Root Certification Authorities:

Self-signed SSL certificates in Chrome 58

Finally, restart Chrome (chrome: // restart) and enjoy the green lock:

Self-signed SSL certificates in Chrome 58

Back