What are the certificate requirements that are supported by Google Chrome?

Google Chrome certificate requriements are documented by Google.

At the beginning of year 2017, Chrome stopped supporting SHA 1 certificates. So, certificates that were once working perfectly fine may no longer work.

Here is an article with more proposed changes this year:

http://www.valuewalk.com/2017/06/google-chrome-vs-symantec-certificate/

There could be more changes by the end of the year.

The following articles document some of Chromes SSL requirements for the root:

http://www.valuewalk.com/2017/06/google-chrome-vs-symantec-certificate/

http://www.zdnet.com/article/google-tightening-ssl-security-in-chrome/

https://venturebeat.com/2015/12/18/google-will-drop-sha-1-encryption-from-chrome-by-january-1-2017/

The following was successfully tested with Chrome release 60:

1. Create the root SHA2 and 2048 keysize.

TSS GENCERT(CERTAUTH) DIGICERT(ROOT2048) SUBJECTN('CN="ROOT2048"')

TSS LIST(CERTAUTH) DIGICERT(ROOT2048)

2. Create the client SHA2 and 2048 keysize.

TSS GENCERT(USERA) DIGICERT(SHA22048) SUBJECTN('CN="SHA22048"') KEYSIZE(2048) SIGNWITH(CERTAUTH,ROOT2048)

TSS LIST(USERA) DIGICERT(SHA22048)

3. Export the root and the client

TSS EXPORT(USERA) DIGICERT(SHA22048) PKCSPASS(SHA22048) FORMAT(PKCS12DER) DCDSN('USERA.CERT.SHA22048')

TSS EXPORT(CERTAUTH) DIGICERT(ROOT2048) PKCSPASS(ROOT2048) FORMAT(PKCS12DER) DCDSN('USERA.CERT.ROOT2048')

4. Verify the certificate datasets.
TSS CHKCERT PKCSPASS(ROOT2048) DCDSN('USERA.CERT.ROOT2048')

TSS CHKCERT PKCSPASS(SHA22048) DCDSN('USERA.CERT.SHA22048')

5. Add the certs to Chrome.

Recommend using an external root like Symantec, Godaddy or Digicert.com for SSL connection from clients on the internet. 

For internal intranet connections, then an internal root created by Top Secret is fine.