Where to Put SAN in Certificate: Understanding the Role of Root CA and Server Certificates

I managed things to fit together; it’s true, the CA certificate does not need to have a SAN in, as the server certificate which gets signed by the CA is the candidate in which to include the SAN.

  • I am answering all my own questions from my original post, which hopefully helps to unravel my somewhat mixed and twisted question-style:
    1. In which certificate does the SAN go?
      Into the srv.crt
    2. Am I right to assume it’s not the Root CA certificate which I can import into Chromium via Settings > Manage certificates > Authorities Tab?
      No, it’s indeed the Root CA certificate; SAN will be provided by srv.crt during server requests, with the CA only guaranteeing trust to the endpoint being requested.
    3. When reading the statement from google exactly, one might think it should be done. If so, how to do this?
      The process is shown below
    4. How to provide the result to Chromium?
      The same way as before (in the original question)

This solves my issue (<...>: anonymous placeholder):

  1. Generate Root CA certificate and key (no SAN included):
    openssl req -new -x509 -days 365 -extensions v3_ca -keyout ca.key -out ca.crt -subj "/C=<C>/ST=<ST>/L=<L>/O=<O>OU=<OU>/CN=$(hostname)/emailAddress=<emailAddress>"
    
  2. Generate server-side private key:
    openssl genrsa -out srv.key 2048
    
  3. Generate signing request for server certificate (SAN included, openssl.cnf unchanged):
    openssl req -new -sha256 -key srv.key -subj "/C=<C>/ST=<ST>/L=<L>/O=<O>/OU=<OU>/CN=$(hostname)/emailAddress=<emailAddress>" -reqexts SAN -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]
    subjectAltName=DNS:$(hostname)")) -out srv.csr
    
  4. Generate signed server certificate (SAN included, openssl.cnf unchanged):
    openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "
    [SAN]
    subjectAltName=DNS:$(hostname)")) -in srv.csr -out srv.crt
    

By placing ca.crt, srv.crt, and srv.key on the server, and importing ca.crt into Chromium, TLS requests now work like a charm on any desktop browser, but not in browsers on Android, which is my next question.

Leave a Reply

Your email address will not be published. Required fields are marked *