Google Chrome – Common Name Invalid with Subject Alternative Name
Some of us or I should say most of us had this issue from Chrome. Chrome v 58 and above throwing up an error for all internal sites and are now prompting as untrusted.
If you’re using a Self-Signed certificate for your HTTPS server then this will be affecting you as well.
Chrome 58 will require that certificates specify the hostname(s) or IP Address(s) in the SubjectAltName field. Chrome is ignoring values in the Subject field. Earlier Firefox started this type of change from v 48 and above.
For more information on SAN, click here
Following error is displayed when you are affected with the change from Chrome:
If you click Advanced, then it will show that Subject Alternative Name is invalid.
Now to Fix this, you will have to reissue certificates for all of your internal websites. New Certificate will be like picture below:
Now to fix in your environment, you will have to reissue the certificate with appropriate fields. Luckily Microsoft already has a Certificate Template with SAN (Subject Alternative Field). Follow below steps to resolve it:
Add Certificate Template
- Go to Certification Authority in your Domain
- Click on Certificate Templates and check if you already have a template with SAN Details or not. if Not, proceed to step no 3. If you already have, go to Issue Certificate Steps
- Right Click on Certificate Templates and click Manage
- In Certificate Template Manager, Right click on “Computer” and Click “Duplicate Template”
- Properties Window will appear, Change the compatibility settings as required for your domain level.
- Go to General Tab, Modify Template Display Name and Validity Period
- Go to Request Handling Tab, Click on “allow private keys to be exported” as required
- Click on Subject Name Tab, Select “Supply in the request”
- Click OK to Finish. New Template will appear in Right hand side.
- Go back to Certificate Authority and Right Click on “Certificate Templates“, Select “New” and “Certificate Template to Issue“
- Select the newly created Certificate Template and Click OK.
This Certificate Template is now ready to be used.
To Issue certificate with new Template, follow steps below:
- Open mmc
- Go to File Menu and Select “Add and Remove Snap-in” or press Ctrl+M
- Select “Certificates” and Click “Add”
- Select “Computer Account” and Click Next
- Select “Local Computer” and Click Finish
- Click OK to Finish
- Expand “Certificates (Local Computer”) – > Personal – > Certificates
- Right click in Empty space and Select “All Tasks” and “Request New Certificate”
- Click Next on Certificate Enrollment Wizard
- Click Next to Continue
- Click on “More information is required to enroll for this certificate”
- On the subject Tab, Select Common Name for Subject Name and DNS for Alternative Name. Type in appropriate details. You can have multiple records for DNS including combination of FQDN and IP Addresses.
- Make sure that you have all the DNS entries added to the Certificate
- Go to “General” Tab and Provide the Friendly Name and Description(Optional)
- Go To “Certificate Authority” Tab and Select the appropriate CA if you have more than one. click OK to Finish
- Select the required Template and Click “Enroll”
- Wizard will provide you status of enrollment whether it is enrolled successfully or no.
- Once enrolled properly, Certificate will appear in the Certificates.
- Double click on required Certificate to Validate. Make sure correct Subject Alternative Name field is populated.
That is it.
I know there are numerous steps involved, but this is one of the easiest way to fix the Chrome prompt.
I hope you find it useful, please feeel free to comment and like.