Google Chrome – Common Name Invalid with Subject Alternative Name

Some of us or I should say most of us had this issue from Chrome. Chrome v 58 and above throwing up an error for all internal sites and are now prompting as untrusted.

If you’re using a Self-Signed certificate for your HTTPS server then this will be affecting you as well.

Chrome 58 will require that certificates specify the hostname(s) or IP Address(s) in the SubjectAltName field. Chrome is ignoring values in the Subject field. Earlier Firefox started this type of change from v 48 and above.

For more information on SAN, click here

Following error is displayed when you are affected with the change from Chrome:

Common_Name_Invalid_01

If you click Advanced, then it will show that Subject Alternative Name is invalid.

Now to Fix this, you will have to reissue certificates for all of your internal websites. New Certificate will be like picture below:

Certificate-fields

Now to fix in your environment, you will have to reissue the certificate with appropriate fields. Luckily Microsoft already has a Certificate Template with SAN (Subject Alternative Field). Follow below steps to resolve it:

Add Certificate Template

  1. Go to Certification Authority in your Domain
    Certificate-Fix-01
  2. Click on Certificate Templates and check if you already have a template with SAN Details or not. if Not, proceed to step no 3. If you already have, go to Issue Certificate Steps
    Certificate-Fix-02
  3. Right Click on Certificate Templates and click Manage
    Certificate-Fix-04
  4. In Certificate Template Manager, Right click on “Computer” and Click “Duplicate Template
    Certificate-Fix-05
  5. Properties Window will appear, Change the compatibility settings as required for your domain level.
    Certificate-Fix-06
  6. Go to General Tab, Modify Template Display Name and Validity Period
    Certificate-Fix-07
  7. Go to Request Handling Tab, Click on “allow private keys to be exported” as required
    Certificate-Fix-08
  8. Click on Subject Name Tab, Select “Supply in the request
    Certificate-Fix-09
  9. Click OK to Finish. New Template will appear in Right hand side.Certificate-Fix-11
  10. Go back to Certificate Authority and Right Click on “Certificate Templates“, Select “New” and “Certificate Template to IssueCertificate-Fix-03
  11. Select the newly created Certificate Template and Click OK.
    Certificate-Fix-10

 

This Certificate Template is now ready to be used.

Issue certificate

To Issue certificate with new Template, follow steps below:

  1. Open mmc 
  2. Go to File Menu and Select “Add and Remove Snap-in” or press Ctrl+MCertificateIssue-01
  3. Select “Certificates” and Click “Add”
    CertificateIssue-02
  4. Select “Computer Account” and Click Next
    CertificateIssue-03
  5. Select “Local Computer” and Click Finish
    CertificateIssue-04
  6. Click OK to Finish
    CertificateIssue-05
  7. Expand “Certificates (Local Computer”) – > Personal – > Certificates
  8. Right click in Empty space and Select “All Tasks” and “Request New Certificate
    CertificateIssue-06
  9. Click Next on Certificate Enrollment Wizard
    CertificateIssue-07
  10. Click Next to ContinueCertificateIssue-08
  11. Click on “More information is required to enroll for this certificate
    CertificateIssue-09
  12. On the subject Tab, Select Common Name for Subject Name and DNS for Alternative Name. Type in appropriate details. You can have multiple records for DNS including combination of FQDN and IP Addresses.
    CertificateIssue-10
  13. Make sure that you have all the DNS entries added to the Certificate
    CertificateIssue-11
  14. Go to “General” Tab and Provide the Friendly Name and Description(Optional)
    CertificateIssue-12
  15. Go To “Certificate Authority” Tab and Select the appropriate CA if you have more than one. click OK to Finish
    CertificateIssue-13
  16. Select the required Template and Click “Enroll
    CertificateIssue-15
  17. Wizard will provide you status of enrollment whether it is enrolled successfully or no.
    CertificateIssue-16
  18. Once enrolled properly, Certificate will appear in the Certificates.
    CertificateIssue-17
  19. Double click on required Certificate to Validate. Make sure correct Subject Alternative Name field is populated.
    CertificateIssue-18

 

That is it.

I know there are numerous steps involved, but this is one of the easiest way to fix the Chrome prompt.

 

I hope you find it useful, please feeel free to comment and like.

One thought on “Google Chrome – Common Name Invalid with Subject Alternative Name

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s