On 2017/06/27 18:11, Ted Unangst wrote: > so chrome at least has gotten pretty uppity about certs that lack subject > altnames.
Oh that's going to be hilarious. There are at least valid reasons for doing this (e.g. nameConstraints don't work with CN). > > Index: ssl.8 > =================================================================== > RCS file: /cvs/src/share/man/man8/ssl.8,v > retrieving revision 1.64 > diff -u -p -r1.64 ssl.8 > --- ssl.8 6 Jun 2016 15:26:04 -0000 1.64 > +++ ssl.8 27 Jun 2017 22:10:10 -0000 > @@ -94,6 +94,16 @@ You can also sign the key yourself, usin > -out /etc/ssl/server.crt > .Ed > .Pp > +Note that some new browsers have deprecated using the common name of a > +certifate and require that subject alt names be provided. certifate -> certificate, and it's not really "deprecated" if they disabled support. But I think it should be reworked a bit more - show SAN as a required step rather than a "maybe you need to do this".. > +This may require the use of > +.Ar -extfile Pa server.ext > +when self-signing. > +.Bd -literal -offset indent > +# this is an example server.ext file > +subjectAltName=DNS:example.com,DNS:www.example.com > +.Ed > +.Pp > With > .Pa /etc/ssl/server.crt > and >