Tomcat: How to use a self-signed SAN supported certificate via OpenSSL

The instructions below are working on OSX and should equally work on any distribution with OpenSSL. From Chrome58 onwards only the SAN (subject alternative name) extension is used to match the domain name and site-certificate (prior to Chrome58 the commonName was used).

If the certificate doesn’t have the correct subjectAlternativeName extension, users get a NET::ERR_CERT_COMMON_NAME_INVALID error letting them know that the connection isn’t private.

The instructions below create in three simple steps the key and PEM file and then white-list it in the Keystore:

Create the OpenSSL configuration

Adjust the below to your liking – especially the section “req_distinguished_name” and “alt_names”:

Generate the key and PEM file

Generate both files via OpenSSL:

Configure Tomcat server.xml

Copy both files to a directory relative to “${catalina.home}” on your Tomcat installation and adjust server.xml:

Whitelist the certificate in OS X Keychain

With Tomcat running, run the following commands to add the certificate to the Keychain:

Print Friendly, PDF & Email