Overview

The latest versions of Google’s Chrome browser introduces a much stricter interpretation and implementation of paragraph 3.1 of RFC2818, dealing with Server Identity in the context of HTTP over TLS. This may cause Chrome to present users with a connection-security warning page in a number of situations as noted above.
 
Although the RFC document doesn’t formally prohibit the use of Common Names in the Subject field of certificates for the purposes of a server’s identification, use of the Subject Alternative Name (subjectAltName or SAN) extension for this purpose is cited as being preferred.

Error Message

When accessing a site noted in the situation above, a user will see an error/warning page such as the one below with error:

NET::ERR_CERT_COMMON_NAME_INVALID

Chrome browser version 58 and later, and:

• accessing secure websites hosted behind a ProxySG (reverse proxy)
• or accessing other websites through a ProxySG or ASG where redirect-mode authentication is performed over SSL
• or accessing the management console, via any version of the ProxySG or Advanced Secure Gateway (ASG).

Generate a new certificate that includes the subjectAltName and use it in place of the old certificate.

The management console or CLI currently does not provide an option to generate a Certificate Signing Request (CSR) that includes the subjectAltName extension.

Refer to How do I create a CSR with the subjectAltName extension for detailed steps on generating a CSR using Microsoft’s web server or on Linux/Unix systems.