Creating A Certificate In Top Secret For Google Chrome

book

Article ID: 15811

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP

Issue/Introduction

What is the method to create a certificate that is supported by Google Chrome?

 

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component:

Resolution

Top Secret doesn't document the certificate requirements of Google Chrome. Chrome frequently changes their certificate requirements. They don't notify 3rd party vendors of their certificate requirements or give advanced notice of the changes. It is Chrome's responsibility to document their requirements.

At the beginning of year 2017, Chrome stopped supporting SHA 1 certificates. So, certificates that were once working perfectly fine may no longer work.

Here is an article with more proposed changes this year:

http://www.valuewalk.com/2017/06/google-chrome-vs-symantec-certificate/

There could be more changes by the end of the year.

There are sites running Chrome and z/OSMF. Firefox and Chrome are the most widely use browsers.

The following articles document some of Chromes SSL requirements for the root:

http://www.valuewalk.com/2017/06/google-chrome-vs-symantec-certificate/

http://www.zdnet.com/article/google-tightening-ssl-security-in-chrome/

https://chromessl.com/

https://venturebeat.com/2015/12/18/google-will-drop-sha-1-encryption-from-chrome-by-january-1-2017/

The following was successfully tested with Chrome release 60:

1. Create the root SHA2 and 2048 keysize.

TSS GENCERT(CERTAUTH) DIGICERT(ROOT2048) SUBJECTN('CN="ROOT2048"')

TSS LIST(CERTAUTH) DIGICERT(ROOT2048)

2. Create the client SHA2 and 2048 keysize.

TSS GENCERT(USERA) DIGICERT(SHA22048) SUBJECTN('CN="SHA22048"') KEYSIZE(2048) SIGNWITH(CERTAUTH,ROOT2048)

TSS LIST(USERA) DIGICERT(SHA22048)

3. Export the root and the client

TSS EXPORT(USERA) DIGICERT(SHA22048) PKCSPASS(SHA22048) FORMAT(PKCS12DER) DCDSN('USERA.CERT.SHA22048')

TSS EXPORT(CERTAUTH) DIGICERT(ROOT2048) PKCSPASS(ROOT2048) FORMAT(PKCS12DER) DCDSN('USERA.CERT.ROOT2048')

4. Verify the certificate datasets.
TSS CHKCERT PKCSPASS(ROOT2048) DCDSN('USERA.CERT.ROOT2048')

TSS CHKCERT PKCSPASS(SHA22048) DCDSN('USERA.CERT.SHA22048')

5. Add the certs to Chrome.

We recommend using an external root like Godaddy or GeoTrust if there is an external client from the internet trying to connect.

If there are only internal connections, then an internal root created by Top Secret is fine.