I have golang app that works as server which a single client accesses by the IP hostname (aaa.bbb.ccc.ddd). Trying to implement mTLS.

Since I have only one client, its cert/key pair (myclient.crt/myclient.key) is directly stored in the server app with the self-signed CA cert (notmyca.crt). The connection between both works, however when I try to curl:

curl "https://aaa.bbb.ccc.ddd:port/endpoint" --key myclient.key --cert myclient.crt --cacert notmyca.crt

I am getting a complain that "certificate subject name 'xxx' does not match target host name 'yyy' "


  1. the self-signed ca 'notmyca.crt/notmyca.key' were provided by another application.

  2. Add notmyca.crt certificate to the system:

sudo cp notmyca.crt /usr/local/share/ca-certificates/

sudo update-ca-certificates

  1. create a new key for the server app:

openssl genrsa -out my-app.key 2048

  1. create a csr for the server app:

openssl req -sha256 -new -key tas.key -subj "/CN=differentFromCA" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=IP:aaa.bbb.ccc.ddd")) -out my-app.csr

  1. create the server cert:

openssl x509 -sha256 -req -in my-app.csr -CA notmyca.crt -CAkey notmyca.key -CAcreateserial -out my-app.crt -days 7300

  1. verify the cert:

openssl verify my-app.crt

  • the verification was ok
  1. Add my-app.crt certificate to the system:

sudo cp notmyca.crt /usr/local/share/ca-certificates/

sudo update-ca-certificates

  1. curl using notmyca.crt

curl "https://aaa.bbb.ccc.ddd:port/endpoint" --key myclient.key --cert myclient.crt --cacert notmyca.crt

  • getting the msg: "certificate subject name 'xxx' does not match target host name 'yyy' "
  1. curl using -k flag:
  • if the client cert/key are passed. No problem, getting the expected and right result.

So, what do I have to do for curl to accept the ca cert??

  • 8,536
  • 4
  • 26
  • 41
  • 1
    Modern web tools should use the [Subject Alternative Name](https://en.wikipedia.org/wiki/Subject_Alternative_Name) instead of the common subject name. – Robert Sep 26 '21 at 13:28
  • Please check the generated certificate. You will notice that the subjectAltName you gave to the CSR does not end up in the signed certificate. And since it is not there the TLS client complains. – Steffen Ullrich Sep 26 '21 at 15:49

0 Answers0