Google Chrome generates a Privacy error when connecting to the Encryption Management Server administration console

Article Id: 169558
Status: Published
Updated On: 01-06-2017 08:44
Legacy Id: TECH246565
Products:
Encryption Management Server , Gateway Email Encryption
Issue/Introduction:

When connecting to the Encryption Management Server administration console using the Google Chrome browser, a Privacy error appears if a self-signed SSL certificate is being used by Encryption Management Server.

Even when the public part of the self-signed certificate is imported into the Windows certificate store as a Trusted Root Certification Authority certificate, Chrome does not trust the certificate when connecting to the Encryption Management Server administration console.

Errors from Chrome keep appearing when navigating the Encryption Management Server administration console and graphics are displayed intermittently.

The following error message is displayed by Chrome:

NET::ERR_CERT_COMMON_NAME_INVALID

Cause:

Starting with Google Chrome version 58, certificates that have a missing SubjectAltName attribute are no longer trusted. Self-signed certificates generated by Encryption Management Server do not include the SubjectAltName attribute. For further details on this change refer to this entry in the Chromium Git repository.

Resolution:

There are several possible solutions to this issue:

  1. Do not use self-signed certificates in Encryption Management Server. Use certificates generated by an internal or public Certificate Authority instead.
  2. Use a different browser. Firefox, for example, will generate an error message for self-signed certificates but it allows exceptions to be stored.
  3. Make a Windows registry change to disable the Chrome check for SubjectAltName.
  4. Generate a self-signed certificate that includes the SubjectAltName.

A change can be made in the Windows registry to cause Chrome to ignore a missing SubjectAltName attribute in all certificates from any site. It involves creating a new DWORD (32-bit) Value named EnableCommonNameFallbackForLocalAnchors under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome. If this value is set to 1 then Chrome will ignore the missing SubjectAltName attribute. If it is set to 0 then Chrome will check for the missing SubjectAltName attribute. Note that Google does not recommend doing this because it decreases security for all sites. For further information please see the Chromium Policy List.

Generating a self-signed certificate that includes the SubjectAltName attribute does not require a global change to Chrome. However, it does require the use of the OpenSSL utility. The following instructions have been tested using OpenSSL on CentOS Linux release 7.3.1611 but should also work with other operating systems:

  1. Generate a self-signed certificate in Encryption Management Server under System / Network / Certificates. Only the Hostname field needs to be populated.
  2. Under System / Network / Certificates click on the name of the self-signed certificate and then click on the Export button to export it. Choose to export the Keypair without a password. A binary file will be downloaded, for example, cert_0x450554FF5792ED0A.p12.
  3. Under System / Network / Certificates click on the icon to delete the self-signed certificate. It will not be needed again.
  4. Upload the *.p12 file to the machine that has OpenSSL installed.
  5. On the machine running OpenSSL, run the following command to convert the *.p12 binary file to a *.pem text format file, no password is needed so press the Enter key when prompted:
    # openssl pkcs12 -in cert_0x450554FF5792ED0A.p12 -out sems01.pem -nodes
    Enter Import Password:
    MAC verified OK
  6. Extract the private key from the *.pem file to a new file, for example, sems01.key. This can be done using a text editor or with the sed utility:
    # sed -n '/-----BEGIN PRIVATE KEY-----/,/-----END PRIVATE KEY-----/p' sems01.pem > sems01.key
  7. Use OpenSSL to create a self-signed certificate that includes the SubjectAltName attribute. In this example, the private key file is sems01.key, the Hostname of the Encryption Management Server is sems01.example.com, the public certificate file name to be generated is sems01.cer and the certificate will be valid for 3,650 days (10 years):
    # openssl req \
        -key sems01.key \
        -x509 \
        -nodes \
        -new \
        -out sems01.cer \
        -subj "/CN=sems01.example.com" \
        -reqexts SAN \
        -extensions SAN \
        -config <(cat /etc/pki/tls/openssl.cnf \
            <(printf '[SAN]\nsubjectAltName=DNS:sems01.example.com')) \
        -sha256 \
        -days 3650
  8. Combine the *.cer file and *.key file into one file that can be copied and pasted into Encryption Management Server. Note that the private key needs to be first in the keypair file:
    # cat pwsems01.key pwsems01.cer > pwsems01-keypair.txt
  9. Download the keypair file from the machine that has OpenSSL installed.
  10. Open the keypair file in a text editor, select all the text and copy it to the clipboard.
  11. Under System / Network / Certificates click on the Add Certificate button and then the Import button to import a certificate.
  12. Select the Import Certificate Block option and paste the contents of the clipboard, then click the Import button to import the certificate block.
  13. Click on the name of the new certificate and confirm that its expiry date corresponds to what is expected.
  14. Under System / Network assign the new certificate to an Interface.