Many developers encounter the frustrating net::ERR_CERT_COMMON_NAME_INVALID error when trying to use self-signed certificates for internal development. Chrome's strict security policies have made this particularly challenging since version 58.
The key issue lies in how Chrome validates certificates. Modern Chrome versions require:
- Subject Alternative Name (SAN) extension
- Matching CN or SAN with the exact hostname/IP
- Proper certificate chain validation
Your current certificate generation command is close but needs adjustments:
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
-keyout server.key -out server.crt \
-subj "/CN=192.168.0.1" \
-addext "subjectAltName = IP:192.168.0.1" \
-addext "extendedKeyUsage = serverAuth"
Here's a foolproof method that works with Chrome 58+:
- Create a proper OpenSSL config file (
ssl.conf):
[req]
default_bits = 2048
prompt = no
default_md = sha256
x509_extensions = v3_req
distinguished_name = dn
[dn]
CN = 192.168.0.1
[v3_req]
subjectAltName = @alt_names
extendedKeyUsage = serverAuth
[alt_names]
IP.1 = 192.168.0.1
- Generate the certificate:
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
-keyout server.key -out server.crt -config ssl.conf
For Fedora/RHEL systems:
sudo cp server.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract
For Chrome specifically, you might also need to:
- Open chrome://settings/certificates
- Go to "Authorities" tab
- Import your
server.crtfile - Check "Trust this certificate for identifying websites"
Check your certificate details with:
openssl x509 -in server.crt -text -noout
Look for these critical sections:
X509v3 extensions:
X509v3 Subject Alternative Name:
IP Address:192.168.0.1
X509v3 Extended Key Usage:
TLS Web Server Authentication
Ensure your Apache config includes both the cert and key:
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/server.key
# Other configuration...
</VirtualHost>
- Restart Apache:
sudo systemctl restart httpd - Clear Chrome cache completely
- Try incognito mode to rule out extension interference
This comprehensive approach should resolve the ERR_CERT_COMMON_NAME_INVALID error while maintaining proper security practices for your development environment.
Modern Chrome versions (58+) enforce strict certificate validation that goes beyond simple Common Name (CN) matching. The ERR_CERT_COMMON_NAME_INVALID specifically indicates that Chrome couldn't verify the certificate's Subject Alternative Name (SAN) against the requested host.
Your certificate shows:
Subject: CN = Hostname
X509v3 Subject Alternative Name: DNS:192.168.0.1The critical problems are:
- Using IP address in DNS SAN field (should be IP SAN)
- Mismatch between CN and actual access URL
- Missing proper CA trust chain setup
For internal IP 192.168.0.1 on port 3122:
openssl req \
-newkey rsa:2048 \
-x509 \
-nodes \
-keyout server.key \
-new \
-out server.crt \
-subj "/CN=192.168.0.1" \
-addext "subjectAltName = IP:192.168.0.1" \
-sha256 \
-days 3650In your virtual host configuration:
<VirtualHost *:3122>
SSLEngine on
SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/server.key
# Force modern protocols
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5
</VirtualHost>For Linux (Fedora/RHEL):
sudo cp server.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extractFor Windows:
- Import server.crt into "Trusted Root Certification Authorities" store
- Use certmgr.msc or PowerShell's Import-Certificate
For temporary testing, you can:
- Navigate to chrome://flags/#allow-insecure-localhost and enable
- Type "thisisunsafe" on the error page (not recommended for production)
Check your certificate with:
openssl x509 -in server.crt -text -nooutLook for these critical sections:
X509v3 extensions:
X509v3 Subject Alternative Name:
IP Address:192.168.0.1