Where to Put SAN in Certificate: Understanding the Role of Root CA and Server Certificates
I managed things to fit together; it’s true, the CA certificate does not need to have a SAN in, as the server certificate which gets signed by the CA is the candidate in which to include the SAN.
- I am answering all my own questions from my original post, which hopefully helps to unravel my somewhat mixed and twisted question-style:
- In which certificate does the SAN go?
Into thesrv.crt
- Am I right to assume it’s not the Root CA certificate which I can import into Chromium via Settings > Manage certificates > Authorities Tab?
No, it’s indeed the Root CA certificate; SAN will be provided bysrv.crt
during server requests, with the CA only guaranteeing trust to the endpoint being requested. - When reading the statement from google exactly, one might think it should be done. If so, how to do this?
The process is shown below - How to provide the result to Chromium?
The same way as before (in the original question)
- In which certificate does the SAN go?
This solves my issue (<...>: anonymous placeholder
):
- Generate Root CA certificate and key (no SAN included):
openssl req -new -x509 -days 365 -extensions v3_ca -keyout ca.key -out ca.crt -subj "/C=<C>/ST=<ST>/L=<L>/O=<O>OU=<OU>/CN=$(hostname)/emailAddress=<emailAddress>"
- Generate server-side private key:
openssl genrsa -out srv.key 2048
- Generate signing request for server certificate (SAN included,
openssl.cnf
unchanged):openssl req -new -sha256 -key srv.key -subj "/C=<C>/ST=<ST>/L=<L>/O=<O>/OU=<OU>/CN=$(hostname)/emailAddress=<emailAddress>" -reqexts SAN -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN] subjectAltName=DNS:$(hostname)")) -out srv.csr
- Generate signed server certificate (SAN included,
openssl.cnf
unchanged):openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf " [SAN] subjectAltName=DNS:$(hostname)")) -in srv.csr -out srv.crt
By placing ca.crt
, srv.crt
, and srv.key
on the server, and importing ca.crt
into Chromium, TLS requests now work like a charm on any desktop browser, but not in browsers on Android, which is my next question.