so chrome at least has gotten pretty uppity about certs that lack subject altnames. following the instructions in ssl.8 is no longer sufficient. here's a short hint about how to fix this.
Index: ssl.8 =================================================================== RCS file: /cvs/src/share/man/man8/ssl.8,v retrieving revision 1.64 diff -u -p -r1.64 ssl.8 --- ssl.8 6 Jun 2016 15:26:04 -0000 1.64 +++ ssl.8 27 Jun 2017 22:10:10 -0000 @@ -94,6 +94,16 @@ You can also sign the key yourself, usin -out /etc/ssl/server.crt .Ed .Pp +Note that some new browsers have deprecated using the common name of a +certifate and require that subject alt names be provided. +This may require the use of +.Ar -extfile Pa server.ext +when self-signing. +.Bd -literal -offset indent +# this is an example server.ext file +subjectAltName=DNS:example.com,DNS:www.example.com +.Ed +.Pp With .Pa /etc/ssl/server.crt and