After getting a signed certificate implemented on an ITPAM server, browsing the server is showing the following errors:
Release : 4.3
Component : ITPAM Domain Orchestrator
Browsers: Internet Explorer v11, Chrome v97
These are two separate problems.
Chrome NET::ERR_CERT_COMMON_NAME_INVALID:
Beginning in version 58, Chrome shows this error when the certificate does not have a Subject Alternative Name with the appropriate <servername> defined there. Using CommonName (CN) only is considered too vulnerable and insecure. Please see the deprecation announcement here: Remove support for commonName matching in certificates
Chrome NET::ERR_CERT_AUTHORITY_INVALID:
One of the Certificate Authorities (CA) is not trusted by the browser. If you view the details of the certificate and go to the "Certification Path" tab, this will show you the certificate and its chain (intermediate and root CA). If you see a red x next to one of the CA's then the browser is showing you which of these it does not trust.
Chrome NET::ERR_CERT_COMMON_NAME_INVALID:
To solve this error, provide a certificate with a Subject Alternative Name with the appropriate DNS: <servername> record defined.
Chrome NET::ERR_CERT_AUTHORITY_INVALID:
The certificate authority that is not trusted must be exported and then added to the appropriate store (Intermediate Certification Authorities or Trusted Root Certification Authorities).
To Export:
To Import:
Once the root/intermediate certificate has been imported into its appropriate store, close the browser. Open a new instance of the browser and the problem should be solved.
You can view the details of your certificate to see if it has a subject alternative name defined by running the command: keytool -v -list -keystore automation.jks
where automation.jks is the name of your keystore file
If your keystore includes a SubjectAlternativeName should should see an entry similar to:
#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: ....
]