Certain browser complains default adminui certificate with error NET::ERR_CERT_COMMON_NAME_INVALID

book

Article ID: 207469

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

Certain EDGE or Chrome does not recognize the out of box SSL certs on the admin ui as secure.

Get error when logging in:

"NET::ERR_CERT_COMMON_NAME_INVALID

Its security certificate does not specify Subject Alternative Names. This may be caused by misconfiguration or an attacker intercepting your connection."

Cause

Browser has settings that controls if it wants to check Subject Alternative Names attribute or not.

Our of box certificate on the admin ui does not specify Subject Alternative Names, hence the error is thrown.

Environment

Release : 12.8

Component : SITEMINDER WAM UI

Resolution

Customer can either disabling web browser configuration for checking subject alternative names, or replace the offending certificate with one that uses the subjectAlternativeName extension.

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-7/installing/install-the-administrative-ui/optional-obtain-and-import-a-trusted-certificate-into-the-administrative-ui.html
(Optional) Obtain and Import a Trusted Certificate into the Administrative UI

When requesting a new certificate using keytool command, need pass "-ext" option, e.g. -ext "SAN=IP:10.100.0.1"

Here is an external 3rd party link for for detailed example:

https://ultimatesecurity.pro/post/san-certificate/

The SubjectAltName field:

 

Additional Information

How to disable the checking of subjectAlternativeName in Chrome version 65 or earlier:

By adding the following setting to your environment, Chrome can be forced to allow certificates that are missing the subjectAlternativeName extension:

Windows registry (REG_DWORD):

Software\Policies\Google\Chrome\EnableCommonNameFallbackForLocalAnchors

Mac/Linux preference name (Boolean):

EnableCommonNameFallbackForLocalAnchors

Android restriction name (Boolean):

EnableCommonNameFallbackForLocalAnchors

When this setting is enabled, Google Chrome will use the commonName of a server certificate to match a hostname if the certificate is missing a subjectAlternativeName extension, as long as it successfully validates and chains to a locally-installed CA certificate.

Reference: https://www.epson.eu/viewcon/corporatesite/kb/index/1179