[PLUG] Fwd: Confused - certificate is valid in IE/Edge but not in Chrome

Michael Leone on 26 Jun 2019 06:41:12 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Fwd: Confused - certificate is valid in IE/Edge but not in Chrome?

From: Michael Leone <turgon@mike-leone.com>
To: PLUG <plug@lists.phillylinux.org>
Subject: [PLUG] Fwd: Confused - certificate is valid in IE/Edge but not in Chrome?
Date: Wed, 26 Jun 2019 09:40:55 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mike-leone.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-transfer-encoding; bh=7dO/Lhc9D1uirg4fFKiE38Do5dM7bO8yOcyXCoKWXYY=; b=ZH7XofqInyxCNV9Uc+HoKtFpfLfHNgktEQYqi1YdDz7Pbm6+Cg8i6pY9GDtN+P5SaE 4ybiYusEpwkL1BD7fa9aLK0ba5+yLF92lfM9Alb4YMxIgpATFDCq+nmxUTFSna2yqohr HZN7KmpurOCZojVzhOH52NUYPeLLsSOydjEPc=
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

For Chrome 58 and later, only the subjectAlternativeName extension,
not commonName, is used to match the domain name and site certificate.
The certificate subject alternative name can be a domain name or IP
address. If the certificate doesn’t have the correct
subjectAlternativeName extension, users get a
NET::ERR_CERT_COMMON_NAME_INVALID error letting them know that the
connection isn’t private. If the certificate is missing a
subjectAlternativeName extension, users see a warning in the Security
panel in Chrome DevTools that lets them know the subject alternative
name is missing.

So I have to fix my openssl config, so that it adds those SANs
(sugbjectAlternateNames). Problem is, all the examples I find for "alt
names" seem to hardcode a name in the config file. Can that be right?

Shouldn't the SAN be the same as the common name of the cert? What am
I not getting, about this? Example:
https://wiki.cacert.org/FAQ/subjectAltName

[alt_names]
DNS.1 = server1.example.com
DNS.2 = mail.example.com
DNS.3 = www.example.com
DNS.4 = www.sub.example.com
DNS.5 = mx.example.com
DNS.6 = support.example.com


That's all fine, if you're issuing a cert for "example.com". :-) So
how do you tell it to use the common name, as at least one of the
alternates??

Thanks. Sorry for the confusion.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] Chrome and Certificates (WAS:Fwd: Confused - certificate is valid in IE/Edge but not in Chrome?)
  - From: brent timothy saner <brent.saner@gmail.com>

Prev by Date: Re: [PLUG] Linux productivity and top 10 apps
Next by Date: Re: [PLUG] Chrome and Certificates (WAS:Fwd: Confused - certificate is valid in IE/Edge but not in Chrome?)
Previous by thread: Re: [PLUG] Linux productivity and top 10 apps
Next by thread: Re: [PLUG] Chrome and Certificates (WAS:Fwd: Confused - certificate is valid in IE/Edge but not in Chrome?)
Index(es):
- Date
- Thread