I'm trying to create self-signed certificates for my webserver but it's not going well. The title is the error message curl gives me when I run
curl --noproxy "*" https://example.com
(with example.com being the domain name of my webserver) on the webserver. It is a FQDN and resolveable.
wget --no-proxy https://example.com
gets me
Resolving example.com (example.com)... 127.0.1.1
Connecting to example.com (example.com)|127.0.1.1|:443... connected.
ERROR: certificate common name ‘’ doesn't match requested host name ‘example.com’.
Apparently, it "cannot obtain the common name" of my certificate. But I don't get why.
I generated the server certificate using this .cnf file, named server.cnf:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName= <country>
stateOrProvinceName= <province>
localityName= <locality>
organizationName= <organization>
organizationalUnitName= <ou>
commonName= example.com
[alt_names]
DNS.1 = example.com
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
using the command:
sudo certtool --generate-certificate \
--load-privkey /etc/ssl/web_domain_keys/server_key.pem \
--load-ca-certificate /etc/ssl/certs/CA_cert.pem \
--load-ca-privkey /etc/ssl/private/CA_key.pem \
--template /usr/lib/ssl/server.cnf \
--outfile /etc/ssl/server_cert.pem
When I run openssl s_client -connect example.com:443
the subject name is blank, but I don't know why this is:
depth=1 CN = ca.example.com
verify return:1
depth=0
verify return:1
---
Certificate chain
0 s:
i:CN = ca.example.com
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
v:NotBefore: Mar 5 13:54:23 2024 GMT; NotAfter: Mar 5 13:54:23 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
<correct certificate>
-----END CERTIFICATE-----
subject=
issuer=CN = ca.example.com
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits```
openssl x509 -in server_cert.pem -subject [-noout]
will show you that it's wrong (2)certtool
is NOT an OpenSSL-related or -based program -- it is part of GnuTLS, and does not use the OpenSSL config format; its 'template' format is superficially similar (using lines containing name=value) but different in nearly all specifics, see its man page.