Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1200
Views
0
Helpful
4
Replies

How to create tomcat certificates that are accepted by Google Chrome?

mpieper
Level 1
Level 1

‎11-15-2018 01:58 AM - edited ‎03-19-2019 01:36 PM

I have hit somewhat of a wall...

More and more, Google Chrome (or rather Chromium, but Chrome behaves the same) is used internally to administer our systems.

But, for some stupid reason, Chrome does not accept the certificates that are installed on our various Callmanager and Unity Clusters, with the error message NET::ERR_CERT_COMMON_NAME_INVALID

Internet Explorer accepts those certificates just fine.

 

I found a couple of issues that Chrome has:

Chrome always converts entered URLs to lower case, but with certificates, capitalization seems to matter.

According to some info I found, Chrome supposedly ignores the CN and looks at the SANs instead. Our certificate guy was successfully able to add SANs to the requests that CUCM generates.

 

The capitalization seems to really matter, since our Hostnames are capitalized (HOSTNAME) and the Domain is CamelCase (DomainName.net)

 

I was able to get certificates for single server systems to get to work, by adding the lower-case FQDN and hostname as SANs:

DNS Name=HOSTNAME.DomainName.net

DNS Name=hostname.domainname.net

DNS Name=HOSTNAME

DNS Name=hostname

Common Name of that certificate is HOSTNAME.DomainName.net

 

Without the lower case SANs, i get Common Name Invalid in Chrome. *grumble*

 

But for Multi-SAN certificates that alone does not work.

Example:

 

CN: PUBLISHER.DomainName.net-ms

SANs, all DNS Name:

PUBLISHER.DomainName.net-ms

DomainName.net

PUBLISHER.DomainName.net

publisher.domainname.net

SUBSCRIBER1.DomainName.net

subscriber1.domainname.net

SUBSCRIBER2.DomainName.net

subscriber2.domainname.net

PUBLISHER

SUBSCRIBER1

SUBSCRIBER2

publisher

subscriber1

subscriber2

 

That certificate is not accepted by Chrome regardless of whether i use just the hostname or the FQDN to access the server.

 

If it is relevant, some general Information:

Callmanager/Unity Versions: 10.5.2.x

Chromium Version: 68.0.3440.134

All certificates are SHA256

Certificates are signed by our own internal CA, Root and Intermediate certificates are properly installed on the servers and clients.

Internet Explorer accepts all these certificates without problems.

 

1 person had this problem
Labels:
0 Helpful
4 Replies 4

mpieper
Level 1
Level 1

‎12-03-2018 06:20 AM

Hmm, no one has this issue, or no one cares about certificate warnings?

I would like to have proper certificates for the user facing site...

 

0 Helpful

Flo.Matalis
Level 1
Level 1
In response to mpieper

‎12-03-2018 09:20 PM

What I did for my project was:

1. Generate Tomcat CSR
2. Sign the generated CSR from your CA
3. Upload the root CA as Tomcat-trust
4. Upload the signed CSR as Tomcat
5. Restart Tomcat service
6. On your Chrome browser, you should enter the FQDN of your server.

Make sure that the root CA is also uploaded on your PC.

Please rate if this helps. Thanks!
0 Helpful

mpieper
Level 1
Level 1
In response to Flo.Matalis

‎12-04-2018 02:18 AM

That is how the certificates have been created, except for the in-between step where our certificate guy added the SANs.

The SANs are added for these reasons:

- So that we do not always have to type the FQDN

- Chrome always converts entered URLs to lower-case. Our hostnames, and therefore the pre-populated CN and SANs are uppercase. This should not matter, but tests I did confirm that it really does.

- CSRs for standalone server do not contain any SANs

I have gotten this to work on one of our single server systems, but not on any of our clusters.

 

The working certificate for a single server looks as follows:

CN: HOSTNAME.DomainName.net

SANs, all DNS Name:

HOSTNAME.DomainName.net

DomainName.net

hostname

HOSTNAME

hostname.domainname.net

 

This certificate works for just the hostname, and also for the FQDN.

 

The CA structure itself works, it is used for essentially everything certificate based in our company. If that would not work, nothing would work here ;)

Also, all these certificates that chrome rejects are accepted by Internet Explorer just fine. Not in Firefox, but that is because it does not use the Windows certificate store by default.

I hope there is a way to get a working cluster certificate, i do not really want to issue single server certificates for all nodes separately.

0 Helpful

Flo.Matalis
Level 1
Level 1
In response to mpieper

‎12-04-2018 07:27 PM

Hi, I am currently running on CUCM 11.5.

When I generated for the Tomcat CSR, I have the option to choose what "Distribution" - asked if it will be for 1 server or "Multi-server(SAN)". Chose Multi-server (SAN) and I only uploaded 1 signed certificate and it populated to all CUCM and IMP servers.
0 Helpful
Customers Also Viewed These Support Documents