Error: "NET::ERR_CERT_COMMON_NAME_INVALID" when accessing secure web sites via ProxySG or ASG

book

Article ID: 185071

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Overview

The latest versions of Google’s Chrome browser introduces a much stricter interpretation and implementation of paragraph 3.1 of RFC2818, dealing with Server Identity in the context of HTTP over TLS. This may cause Chrome to present users with a connection-security warning page in a number of situations as noted above.
 
Although the RFC document doesn’t formally prohibit the use of Common Names in the Subject field of certificates for the purposes of a server’s identification, use of the Subject Alternative Name (subjectAltName or SAN) extension for this purpose is cited as being preferred.

Error Message

When accessing a site noted in the situation above, a user will see an error/warning page such as the one below with error:

NET::ERR_CERT_COMMON_NAME_INVALID

User-added image

Environment

Chrome browser version 58 and later, and:

  • accessing secure websites hosted behind a ProxySG (reverse proxy)
  • or accessing other websites through a ProxySG or ASG where redirect-mode authentication is performed over SSL
  • or accessing the management console, via any version of the ProxySG or Advanced Secure Gateway (ASG).

Resolution

Generate a new certificate that includes the subjectAltName and use it in place of the old certificate.

The management console or CLI currently does not provide an option to generate a Certificate Signing Request (CSR) that includes the subjectAltName extension.

Refer to How do I create a CSR with the subjectAltName extension for detailed steps on generating a CSR using Microsoft’s web server or on Linux/Unix systems.

Attachments