In Chrome58 and later, matching the CN name with the requested host name is not considered a secure connection and ERR_CERT_COMMON_NAME_INVALID is returned. For example, when accessing with https: // localhost with a certificate issued with CN = localhost.
Since Chrome58, the extension area of certificate V3: DNS name is also verified. Qiita: How to make a certificate that won't get angry with Chrome
Specify DNS as an option when issuing a self-signed certificate with keytool. At that time, the domain name is always in A.B.C or A.B.C.D format. Due to keytool restrictions, it seems that you cannot specify wildcards or suffix formats that start with.
keytool -genkey -alias tomcat -storetype PKCS12 -keyalg RSA -keysize 2048
-ext san=dns:sample.localhost.com -keystore "tomcat.jks" -validity 3650
(Actually in one line)
Please enter the keystore password:(Keystore password)
Please re-enter your new password:(Keystore password)
What is your first and last name?
[Unknown]: sample.localhost.com (Host name for verification)
What is the organizational unit name?
[Unknown]: Capybara
What is your organization name?
[Unknown]: Capybara
What is the city or region name?
[Unknown]: Shinagawa
What is the state or state name?
[Unknown]: Tokyo
What is the two-letter country code for this unit?
[Unknown]: JP
CN=sample.localhost.com, OU=Capybara, O=Capybara, L=Shinagawa, ST=Tokyo, C=Are you sure you want JP?
[No]: y
After publishing, apply this keystore tomcat.jks to any Servlet container and start it. At that time, register sample.localhost.com in the hosts file so that it becomes localhost (127.0.0.1).
Recommended Posts