Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

How to create tomcat certificates that are accepted by Google Chrome?

mpieper
Level 1
Level 1

‎11-15-2018 01:58 AM - edited ‎03-19-2019 01:36 PM

I have hit somewhat of a wall...

More and more, Google Chrome (or rather Chromium, but Chrome behaves the same) is used internally to administer our systems.

But, for some stupid reason, Chrome does not accept the certificates that are installed on our various Callmanager and Unity Clusters, with the error message NET::ERR_CERT_COMMON_NAME_INVALID

Internet Explorer accepts those certificates just fine.

 

I found a couple of issues that Chrome has:

Chrome always converts entered URLs to lower case, but with certificates, capitalization seems to matter.

According to some info I found, Chrome supposedly ignores the CN and looks at the SANs instead. Our certificate guy was successfully able to add SANs to the requests that CUCM generates.

 

The capitalization seems to really matter, since our Hostnames are capitalized (HOSTNAME) and the Domain is CamelCase (DomainName.net)

 

I was able to get certificates for single server systems to get to work, by adding the lower-case FQDN and hostname as SANs:

DNS Name=HOSTNAME.DomainName.net

DNS Name=hostname.domainname.net

DNS Name=HOSTNAME

DNS Name=hostname

Common Name of that certificate is HOSTNAME.DomainName.net

 

Without the lower case SANs, i get Common Name Invalid in Chrome. *grumble*

 

But for Multi-SAN certificates that alone does not work.

Example:

 

CN: PUBLISHER.DomainName.net-ms

SANs, all DNS Name:

PUBLISHER.DomainName.net-ms

DomainName.net

PUBLISHER.DomainName.net

publisher.domainname.net

SUBSCRIBER1.DomainName.net

subscriber1.domainname.net

SUBSCRIBER2.DomainName.net

subscriber2.domainname.net

PUBLISHER

SUBSCRIBER1

SUBSCRIBER2

publisher

subscriber1

subscriber2

 

That certificate is not accepted by Chrome regardless of whether i use just the hostname or the FQDN to access the server.

 

If it is relevant, some general Information:

Callmanager/Unity Versions: 10.5.2.x

Chromium Version: 68.0.3440.134

All certificates are SHA256

Certificates are signed by our own internal CA, Root and Intermediate certificates are properly installed on the servers and clients.

Internet Explorer accepts all these certificates without problems.

 

1 person had this problem
Labels:
0 Helpful
Who Me Too'd this topic