I showed how to create a self-signed certificate using openssl command line in this post. However, after I created a self-signed certificate using the similar openssl command and deployed the certificate in a Kubernete ingress, I always got a warning message when accessing the web server through the ingress using google chrome browser.
Your connection is not private
Attackers might be trying to steal your information from www.example.com(for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_AUTHORITY_INVALIDHelp improve Safe Browsing by sending some system information and page content to Google. Privacy policy
Since the certificate is self-signed, it is not trusted by the chrome browser by default. It is reasonable that the chrome browser prompts the warming message. However, after I imported the certificate into the trusted root certificate authorities of the chrome browser, it still prompted the warning message. That’s weird.
After struggling using google search engine, I finally get the root cause of this warning message. That is:
chrome 58 or later does not use the commonName field in the certificate to match the domain name and site certificate. Instead, it uses subject alternative name.
That’s why I always got the warning message even if I imported the certificate into my chrome browser, because there is no SAN field in the certificate. This doesn’t mean the certificates created without SAN are useless. They can still be used in some other cases. I will cover how to create a self-signed certificate with SAN using openssl command in later post.
Reference Material:
http://www.expta.com/2017/06/fix-for-certificate-error-in-chrome.html
https://support.google.com/chrome/a/answer/7391219?hl=en