How to add subjectAltName values to server.crt?

Problems with the Windows version of XAMPP, questions, comments, and anything related.

How to add subjectAltName values to server.crt?

Postby TomXampp » 21. April 2017 17:24

Chrome now (v.58) requires all self-signed SSL certificates to have a Subject Alternative Name entry with 'localhost' specified, else it will not load your localhosted site (you can whitelist it in Chrome's advanced settings, but the message INSECURE with a slash through the HTTPS will appear in the URL bar, which is beyond annoying).

There are NUMEROUS instructions online for generating SSL files that contain the Subject Alternative Name entry, as well as the other info needed to create a legitimate SSL certificate. The most comprehensive and useful instructions I found here: https://stackoverflow.com/questions/21297139/how-do-you-sign-certificate-signing-request-with-your-certification-authority/21340898#21340898.

Sadly, even though following those instructions to the letter, which does produce a well-formed PEM file that contains all of the necessary fields, the file is NOT readable by XAMPP.

I've been using this routine for generating SSL certificates for use with XAMPP, which is the default routine in makecert.bat:

Code: Select all
bin\openssl req -new -out server.csr
bin\openssl rsa -in privkey.pem -out server.key
bin\openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365


Using the default openssl.cnf file, it works, but it does not have the necessary commands for creating the subjectAltName values, and no amount of editing it has worked for me.

Could someone please explain how to edit the default openssl.cnf file as well as whatever modifications to makecert.bat are necessary to enable this? I predict this will quickly become an issue as developers begin to use Chrome 58+.

Many thanks
TomXampp
 
Posts: 59
Joined: 12. March 2015 03:58
Operating System: Windows 8.1

Re: How to add subjectAltName values to server.crt?

Postby Nobbie » 22. April 2017 02:25

TomXampp wrote:I predict this will quickly become an issue as developers begin to use Chrome 58+.


I dont think so. I am using XAMPP since many years and i never needed a certificate, as i never needed https protocoll for my private localhost. And for production environment i would go for a professional certificate.
Nobbie
 
Posts: 13171
Joined: 09. March 2008 13:04

Re: How to add subjectAltName values to server.crt?

Postby TomXampp » 22. April 2017 02:58

I've used XAMPP for many years, as well, and I also use a professional certificate for my live sites. For my localhost development, however, I'm using HTTPS/SSL for consistency. You should try doing it.
TomXampp
 
Posts: 59
Joined: 12. March 2015 03:58
Operating System: Windows 8.1

Re: How to add subjectAltName values to server.crt?

Postby Nobbie » 22. April 2017 03:23

TomXampp wrote:You should try doing it.


What for? I dont miss it and cant find any use.
Nobbie
 
Posts: 13171
Joined: 09. March 2008 13:04

Re: How to add subjectAltName values to server.crt?

Postby TomXampp » 22. April 2017 03:42

Because you asserted that because you haven't done localhost https in the past, no one else will experience the problem. That is illogical.

See these Google results for "chrome 58 subject alternate name" for a gauge of how many people have noticed this and are trying to solve it:

https://www.google.com/search?site=&source=hp&q=chrome+58+subject+alternate+name&oq=chrome+58+subject+alternate+name

And, if you truly want to help, you could simply set up your localhost for https and then find the solution using openssl, which is the provided method for making ssl certificates with XAMPP. That would be a truly helpful response.
TomXampp
 
Posts: 59
Joined: 12. March 2015 03:58
Operating System: Windows 8.1

Re: How to add subjectAltName values to server.crt?

Postby Nobbie » 22. April 2017 03:54

TomXampp wrote:And, if you truly want to help, you could simply set up your localhost for https and then find the solution using openssl, which is the provided method for making ssl certificates with XAMPP. That would be a truly helpful response.


I am not interested in that issue and neither want to help on it, as i cannot find any use. I am simply a user of Xampp and i simply dont need https on localhost. Why should i waste my time to solve your private problem, which isnt a Xampp problem anyway? Its also a well known problem, that Google and Chrome have their own understanding of security, if you dont like it, simply use another browser, at least a very helpfull hint in my mind. I am not interested to go any deeper in this problem.
Nobbie
 
Posts: 13171
Joined: 09. March 2008 13:04

Re: How to add subjectAltName values to server.crt?

Postby TomXampp » 22. April 2017 06:26

Then you shouldn't have responded in the first place.

It is a XAMPP problem, in that it is as much about generating a certificate that the Apache server in XAMPP will accept as well as Chrome. This I discovered in the process of trying out various proposed solutions, some of which produced perfectly acceptable certificates for Chrome but which were problematic for XAMPP, reason unknown (i.e., you could register the certificate with Windows and Chrome, both of which accepted it, but the Apache server in XAMPP fell over when it tried to read it as part of its boot-up procedure).

Eventually, after many hours spent on a problem that is causing others to swear at Google (see some of the posts), I found a way to generate a certificate and matching key that Chrome accepts and XAMPP/Apache is happy with, but which *Firefox* rejects. &*$#%$!!! I'd post what I've discovered, but there certainly must be a one-size-fits all solution to this, and the Firefox problem makes me doubt the method I've employed.
TomXampp
 
Posts: 59
Joined: 12. March 2015 03:58
Operating System: Windows 8.1

Re: How to add subjectAltName values to server.crt?

Postby Nobbie » 22. April 2017 16:18

TomXampp wrote:Then you shouldn't have responded in the first place.


Nonsense. It is not your responsibility who may write here and who not. Even more, you shouldnt have asked your problem here, as it is beyond the scope of this forum. You only may decide, whether you would like to read my postings or not. Nothing else.
Nobbie
 
Posts: 13171
Joined: 09. March 2008 13:04

Re: How to add subjectAltName values to server.crt?

Postby TomXampp » 22. April 2017 16:41

I find it amusing that you continue to respond to this thread when you've already expressed lack of interest in the actual subject matter.

Setting up an https localhost is germane to XAMPP if you are interested in site security and wish to reproduce conditions of the live site for the purposes of testing CSP headers in your .htaccess file on your localhost. The Expect-CT header is one soon to be enforced by Chrome, and getting it right on localhost first before deploying it to a live site is prudent.
TomXampp
 
Posts: 59
Joined: 12. March 2015 03:58
Operating System: Windows 8.1

Re: How to add subjectAltName values to server.crt?

Postby Nobbie » 23. April 2017 00:27

I find it amusing that you continue to read my responds, as you even wanted to prohibit them. The rest of your posting is still your highly subjective opinion, i do not agree no matter how often you repeat it. Wrong understandings are not getting better via repitition.
Nobbie
 
Posts: 13171
Joined: 09. March 2008 13:04

Re: How to add subjectAltName values to server.crt?

Postby TomXampp » 23. April 2017 00:43

(This is hysterical. I haven't wanted to prohibit your responses at all. You've already made it extremely clear that you disagree with the very notion of anyone setting up their Apache localhost server differently than you have.)

For anyone else who is reading this thread in hope of finding a solution to this problem, the method that worked for me on Chrome but not on Firefox is detailed here: https://stackoverflow.com/questions/21297139/how-do-you-sign-certificate-signing-request-with-your-certification-authority/21340898#21340898

I don't consider this a complete solution, as Firefox will not accept the resulting certificate, even though Chrome, Opera, and IE/Edge will. Oddly, the default method provided by XAMPP in the xampp/apache/conf/makecert.bat file *will* create a certificate that is accepted by Firefox, and *was* accepted by Chrome up to version 58.
TomXampp
 
Posts: 59
Joined: 12. March 2015 03:58
Operating System: Windows 8.1

Re: How to add subjectAltName values to server.crt?

Postby Nobbie » 23. April 2017 01:46

TomXampp wrote:(This is hysterical. I haven't wanted to prohibit your responses at all. You've already made it extremely clear that you disagree with the very notion of anyone setting up their Apache localhost server differently than you have.)


That extremely poor statement only shows, that you even dont understand my postings.
Nobbie
 
Posts: 13171
Joined: 09. March 2008 13:04

Re: How to add subjectAltName values to server.crt?

Postby TomXampp » 23. April 2017 03:11

In other news, I found a way to create a certificate with SAN (subAltName) entries that satisfied Firefox *only* for adding the certificate to its list of approved CA certificates, and XAMPP/Apache was fine with it (i.e., I could boot-up XAMPP without an issue), but Firefox would respond to localhost as though it had a bad certificate. So, Firefox remains the fly in the ointment.
TomXampp
 
Posts: 59
Joined: 12. March 2015 03:58
Operating System: Windows 8.1

Re: How to add subjectAltName values to server.crt?

Postby faospark » 28. April 2017 16:00

this is how i got it fixed on chrome
if you are familiar with the makecert.bat file found in xampp->apache
you can use that but you need to do a couple of things first

by default the makecert.bat creates V1 certificate so in order to circumvent this
create a file with a name of V3.ext
this file should contain the following code
Code: Select all
subjectAltName = @alt_names
[alt_names]
DNS.1 =localhost
DNS.2 =*.your.domain
DNS.3 =your.domain
DNS.4 =127.0.0.1
DNS.5 =127.0.0.2

this file basically contains the subjectaltnames and it does not have to the same as the one as i have. you can specify as many as you want and you can also specify as little as you want.

Next is you have to edit the makecert.bat. open the file using a code editor and edit line 9 by adding -extfile v3.ext after 365
it should look like this one
Code: Select all
bin\openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365 -extfile v3.ext


take note before using the makecert.bat. it will output the server.key and server.crt on
xampp->apache->conf->ssl.key and xampp->apache->conf->ssl.key

now with all of those things done. you can now run makecert.bat and proceed to the normal questions you need answer but do take note for the CN or common name you have to use the bare naked domain of your virtual site. dont use the wildcard character for your common name as essentially the wildcard character is now best served as an subject altname. same goes for www in the common name.

after the setup is done you can now point your ssl configuration to the files in the directories i mentioned xampp->apache->conf->ssl.key and xampp->apache->conf->ssl.key, the generated files are now V3 certificates
it should some thing like this in your httpd-vhosts.conf
Code: Select all
<VirtualHost 127.0.0.1:443>
    DocumentRoot "D:/applications/xampp/htdocs"
    ServerName localhost
    ServerAlias localhost
   SSLEngine on
    SSLCertificateFile "conf/ssl.crt/server.crt"
    SSLCertificateKeyFile "conf/ssl.key/server.key"
      <Directory "d:/applications/xampp/htdocs">
         Options Indexes FollowSymLinks Includes ExecCGI
         Order allow,deny
         Allow from all
      </Directory> 
</VirtualHost>


restart your server and close/reopen your browser. you will receive an initial ssl warning. proceed then view certificate. export the certificate and import it as a trusted root certificate . and then thats it . i got the green lock icon back again.
User avatar
faospark
 
Posts: 15
Joined: 07. March 2017 11:40
XAMPP version: 7.1.1
Operating System: windows 11

Re: How to add subjectAltName values to server.crt?

Postby TomXampp » 28. April 2017 17:21

Thank you, @faospark! This is a much easier routine than the one I followed to satisfy Chrome, and it does satisfy Chrome, Opera, and IE, which all accept certificates installed in Windows using MMC (and, in fact, when you install a certificate using Chrome, it calls up the Windows MMC applet).

But can you get Firefox to accept the resulting certificate? Firefox doesn't look at the SSL certificates installed locally on your machine, but rather from the browser's own repository/Certificate Manager. Here are the error messages I get when going to Firefox -> Options -> Advanced -> View Certificates (which opens the Firefox Certificate Manager):

When trying to install it under "authorities":
Code: Select all
This is not a certificate authority certificate, so it can’t be imported into the certificate authority list


When trying to install it under "People":
Code: Select all
This certificate can’t be verified and will not be imported. The certificate issuer might be unknown or untrusted, the certificate might have expired or been revoked, or the certificate might not have been approved.


What can be done to appease Firefox?
TomXampp
 
Posts: 59
Joined: 12. March 2015 03:58
Operating System: Windows 8.1

Next

Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 151 guests