Chrome browser to drop support for X.509 Subject

Arne Bier · ‎05-24-2017

This announcement from Google recently made the news that the latest version of Google Chrome no longer honours X.509 certificates if the SAN (Subject Alternative Name) is missing.

I have tested it myself and it's true. There is still an option to proceed to the 'unsafe' web page, but in some cases I have seen a complete failure to browse https pages with a missing SAN in the cert.

Perhaps it's more important than ever to ensure that when we create certificates, we always populate the SAN field - and not just treat it like a nice to have option. I don't think any of the Cisco literature stresses this point enough - although it does say that if the Subject is blank, then the SAN must be filled in.

The SAN attributes are not as ambiguous as the Subject and thus should be used instead of the Subject. Apparently the Subject field was deprecated in year 2000 when https came about. I had no idea.

Quoted from the article:

"Many people don’t know that the “Common Name” field of an SSL certificate, which contains the domain name the certificate is valid for, was actually phased-out via RFC nearly two decades ago. Instead, the SAN (Subject Alternative Name) field is the proper place to list the domain(s)."

umahar · ‎06-01-2017

Arne,

I think the latest Chrome also does not allow you to access a secure website when SAN field does not match the URL. I am facing this issue during web redirection on wired. On internal explorer and Firefox I see a warning message but they still let me proceed to the website

imbashir · ‎06-01-2017

Hosuk recently added a document for Chrome OS, pls take a look

Google Suite Guest SSO (Single Sign On) with ISE via SAML for Chromebooks

Thanks

Imran