Errors browsing ITPAM URL with signed certificate
search cancel

Errors browsing ITPAM URL with signed certificate

book

Article ID: 233046

calendar_today

Updated On:

Products

CA Process Automation Base

Issue/Introduction

After getting a signed certificate implemented on an ITPAM server, browsing the server is showing the following errors:

  • From Chrome on the ITPAM server it shows: Your connection is not private
    Attackers might be trying to steal your information from <servername>
    NET::ERR_CERT_COMMON_NAME_INVALID

    Clicking Advanced button shows:
    This server could not prove that it is <servername>; its security certificate does not specify Subject Alternative Names. This may be caused by misconfiguration or an attacker intercepting your connection. 

    Proceed to <servername> (unsafe)


  • From a VDI server, Chrome shows: Your connection is not private
    Attackers might be trying to steal your information from <servername>
    NET::ERR_CERT_AUTHORITY_INVALID

    Upon further inspection we can see that the RootCA (Certificate Authority) is not trusted. 

 

Environment

Release : 4.3

Component : ITPAM Domain Orchestrator

Browsers: Internet Explorer v11, Chrome v97

Cause

These are two separate problems. 

Chrome NET::ERR_CERT_COMMON_NAME_INVALID:

Beginning in version 58, Chrome shows this error when the certificate does not have a Subject Alternative Name with the appropriate <servername> defined there. Using CommonName (CN) only is considered too vulnerable and insecure. Please see the deprecation announcement here: Remove support for commonName matching in certificates

Chrome NET::ERR_CERT_AUTHORITY_INVALID:

One of the Certificate Authorities (CA) is not trusted by the browser. If you view the details of the certificate and go to the "Certification Path" tab, this will show you the certificate and its chain (intermediate and root CA). If you see a red x next to one of the CA's then the browser is showing you which of these it does not trust. 

 

Resolution

Chrome NET::ERR_CERT_COMMON_NAME_INVALID:

To solve this error, provide a certificate with a Subject Alternative Name with the appropriate DNS: <servername> record defined. 

Chrome NET::ERR_CERT_AUTHORITY_INVALID:

The certificate authority that is not trusted must be exported and then added to the appropriate store (Intermediate Certification Authorities or Trusted Root Certification Authorities). 

To Export:

  • View the certificate and access "Certification Path" tab. This will show you the certificate and its chain (intermediate and root CA).
  • Select the one with a red x and click "View Certificate"
  • Then click "Details tab" of this Root (or Intermediate) CA. 
  • Click "Copy to File" button.
  • Follow the prompts to save it to a file on your local machine. 

To Import:

  • Open Chrome -> Settings.
  • Select "Security and Privacy" from the left menu. 
  • Then, in the middle of the screen, expand the "Security" option. 
  • Scroll to bottom of the page and click "Manage certificates" 
  • Select an appropriate store (Intermediate or Trusted Root Certification Authorities)
  • Click Import. 
  • Follow the prompts and provide it the file exported above. 

Once the root/intermediate certificate has been imported into its appropriate store, close the browser. Open a new instance of the browser and the problem should be solved. 

Additional Information

You can view the details of your certificate to see if it has a subject alternative name defined by running the command: keytool -v -list -keystore automation.jks

where automation.jks is the name of your keystore file

If your keystore includes a SubjectAlternativeName should should see an entry similar to:

#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: ....
]