When connecting to the Encryption Management Server administration console using the Google Chrome browser, a Privacy error appears if a self-signed SSL certificate is being used by Encryption Management Server.
Even when the public part of the self-signed certificate is imported into the Windows certificate store as a Trusted Root Certification Authority certificate, Chrome does not trust the certificate when connecting to the Encryption Management Server administration console.
Errors from Chrome keep appearing when navigating the Encryption Management Server administration console and graphics are displayed intermittently.
The following error message is displayed by Chrome:
NET::ERR_CERT_COMMON_NAME_INVALID
Starting with Google Chrome version 58, certificates that have a missing SubjectAltName attribute are no longer trusted. Self-signed certificates generated by Encryption Management Server do not include the SubjectAltName attribute. For further details on this change refer to this entry in the Chromium Git repository.
There are several possible solutions to this issue:
A change can be made in the Windows registry to cause Chrome to ignore a missing SubjectAltName attribute in all certificates from any site. It involves creating a new DWORD (32-bit) Value named EnableCommonNameFallbackForLocalAnchors under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome. If this value is set to 1 then Chrome will ignore the missing SubjectAltName attribute. If it is set to 0 then Chrome will check for the missing SubjectAltName attribute. Note that Google does not recommend doing this because it decreases security for all sites. For further information please see the Chromium Policy List.
Generating a self-signed certificate that includes the SubjectAltName attribute does not require a global change to Chrome. However, it does require the use of the OpenSSL utility. The following instructions have been tested using OpenSSL on CentOS Linux release 7.3.1611 but should also work with other operating systems:
# openssl pkcs12 -in cert_0x450554FF5792ED0A.p12 -out sems01.pem -nodes
Enter Import Password:
MAC verified OK
# sed -n '/-----BEGIN PRIVATE KEY-----/,/-----END PRIVATE KEY-----/p' sems01.pem > sems01.key
# openssl req \
-key sems01.key \
-x509 \
-nodes \
-new \
-out sems01.cer \
-subj "/CN=sems01.example.com" \
-reqexts SAN \
-extensions SAN \
-config <(cat /etc/pki/tls/openssl.cnf \
<(printf '[SAN]\nsubjectAltName=DNS:sems01.example.com')) \
-sha256 \
-days 3650
# cat pwsems01.key pwsems01.cer > pwsems01-keypair.txt