starred/mkcert

Fork 0

mirror of https://github.com/FiloSottile/mkcert.git synced 2026-04-25 05:26:03 +03:00

[GH-ISSUE #161] Chrome 58+: NET::ERR_CERT_COMMON_NAME_INVALID when using generated cert #101

New issue

Closed

opened 2026-02-25 22:32:36 +03:00 by kerem · 4 comments

kerem commented

2026-02-25 22:32:36 +03:00

Owner

Originally created by @bcjordan on GitHub (May 17, 2019).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/161

Browser: Google Chrome 74.0.3729.157 (Official Build) (64-bit) (cohort: Stable)
OS: Windows 10 OS Build 17134.765

Looks like an issue which begun with Chrome 58. Is there a recommended workaround that still make use of mkcert's wonderful simple UX? :)

Repro Steps

Make and install cert:

Open Command Prompt as Administrator
choco install mkcert
mkcert -install
Select "Yes" when prompted about installing

Run web server and visit webpage:

cross-env NODE_ENV=development webpack-dev-server -d --hot --config webpack.config.js --watch --https --cert=C:\Users\myuser\AppData\Local\mkcert\rootCA.pem --key=C:\Users\myuser\AppData\Local\mkcert\rootCA-key.pem
Open https://localhost:8080

Expected: page loads OK with green lock
Actual: NET::ERR_CERT_COMMON_NAME_INVALID error (see below)

Originally created by @bcjordan on GitHub (May 17, 2019). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/161 **Browser:** Google Chrome 74.0.3729.157 (Official Build) (64-bit) (cohort: Stable) **OS:** Windows 10 OS Build 17134.765 [Looks like an issue which begun with Chrome 58](https://support.google.com/chrome/a/answer/7391219?hl=en). Is there a recommended workaround that still make use of `mkcert`'s wonderful simple UX? :) # Repro Steps Make and install cert: 1. Open Command Prompt as Administrator 1. `choco install mkcert` 1. `mkcert -install` 1. Select "Yes" when prompted about installing Run web server and visit webpage: 1. `cross-env NODE_ENV=development webpack-dev-server -d --hot --config webpack.config.js --watch --https --cert=C:\Users\myuser\AppData\Local\mkcert\rootCA.pem --key=C:\Users\myuser\AppData\Local\mkcert\rootCA-key.pem` 1. Open https://localhost:8080 Expected: page loads OK with green lock Actual: `NET::ERR_CERT_COMMON_NAME_INVALID` error (see below) ![image](https://user-images.githubusercontent.com/206973/57951532-51035800-78b8-11e9-90ac-6b2f05b5c9f1.png)

kerem closed this issue

2026-02-25 22:32:36 +03:00

kerem commented

2026-02-25 22:32:36 +03:00

Author

Owner

@FiloSottile commented on GitHub (Jun 1, 2019):

You are using the root CA (rootCA.pem) as a server certificate, which is not going to work.

You need to generate a new certificate for the hostname you are going to use, like mkcert localhost.

@FiloSottile commented on GitHub (Jun 1, 2019): You are using the root CA (`rootCA.pem`) as a server certificate, which is not going to work. You need to generate a new certificate for the hostname you are going to use, like `mkcert localhost`.

kerem commented

2026-02-25 22:32:36 +03:00

Author

Owner

@anthonyxwatson commented on GitHub (Mar 6, 2023):

You are using the root CA (rootCA.pem) as a server certificate, which is not going to work.

You need to generate a new certificate for the hostname you are going to use, like mkcert localhost.

I'm seeing this when I use a wildcard certificate, with expanded message:

This server could not prove that it is test.localhost; its security certificate is from *.localhost. This may be caused by a misconfiguration or an attacker intercepting your connection.

And the internet seems to think this is because Chrome wants the site name in the Subject Alternative Name.

https://serverfault.com/questions/559537/wildcard-certificate-causes-warning-on-google-chrome-only

I don't see in documentation for mkcert how to set the Subject Alternative Name to test if this fixes it, but wanted to mention all of this as this is the only issue for the repo that mentions the ERR_CERT_COMMON_NAME_INVALID error.

@anthonyxwatson commented on GitHub (Mar 6, 2023): > You are using the root CA (`rootCA.pem`) as a server certificate, which is not going to work. > > You need to generate a new certificate for the hostname you are going to use, like `mkcert localhost`. I'm seeing this when I use a wildcard certificate, with expanded message: ``` This server could not prove that it is test.localhost; its security certificate is from *.localhost. This may be caused by a misconfiguration or an attacker intercepting your connection. ``` And the internet seems to think this is because Chrome wants the site name in the Subject Alternative Name. https://serverfault.com/questions/559537/wildcard-certificate-causes-warning-on-google-chrome-only I don't see in documentation for mkcert how to set the Subject Alternative Name to test if this fixes it, but wanted to mention all of this as this is the only issue for the repo that mentions the `ERR_CERT_COMMON_NAME_INVALID` error.

kerem commented

2026-02-25 22:32:36 +03:00

Author

Owner

@noe commented on GitHub (Jun 26, 2023):

I am also having this problem with a wildcard certificate.

@noe commented on GitHub (Jun 26, 2023): I am also having this problem with a wildcard certificate.

kerem commented

2026-02-25 22:32:36 +03:00

Author

Owner

@renatofrota commented on GitHub (Feb 11, 2024):

*.localhost is a 2nd level wildcard, which is not accepted, since it's technically the same as creating a cert for *.com.

however, there's a workaround for localhost wildcards, see https://github.com/FiloSottile/mkcert/issues/383#issuecomment-1937455068

@renatofrota commented on GitHub (Feb 11, 2024): `*.localhost` is a 2nd level wildcard, which is not accepted, since it's technically the same as creating a cert for `*.com`. however, there's a workaround for localhost wildcards, see https://github.com/FiloSottile/mkcert/issues/383#issuecomment-1937455068