Originally published on cert-depot.com . Free, open-source self-signed certificate generator — no signup, keys never stored. Why Subject Alternative Names (SANs) Matter for Modern Browsers The single most common reason self-signed certs stop working in browsers — and the fix. For two decades, SSL/TLS certificates identified themselves via the Common Name (CN) field in the Subject Distinguished Name. Today, browsers ignore it completely. If your certificate doesn't have a Subject Alternative Name (SAN) matching the hostname, every modern browser will reject it — even if the CN is exactly right. The short version When you visit https://example.com , the browser checks the server's certificate for a SAN entry containing example.com . If no SAN matches, the connection is rejected with an error like NET::ERR_CERT_COMMON_NAME_INVALID . The Common Name is not consulted. When did this change? 2000: RFC 2818 says "if a subjectAltName extension of type dNSName is present, that MUST be used as the identity.…