NET::ERR_CERT_COMMON_NAME_INVALID when using HTTPS inspection

book

Article ID: 165155

calendar_today

Updated On:

Products

Web Security.cloud

Issue/Introduction

User is unable to access HTTPS sites when using the Symantec Web Security.cloud Service in combination with browser, Google Chrome version 58 and above.

Your connection is not private

Attackers might be trying to steal your information from www.domain.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID

Cause

Google Chrome has deprecated the use of the Common Name field of an SSL certificate.

Environment

  • Web Security.cloud Service
  • Chrome version 58 and above.

Resolution

This is currently being reviewed by our development team as a potential change in a future version of our Web Security.cloud service offering, but there is no release date currently available.

As a workaround, a Windows registry key can be created to allow Google Chrome to use the commonName of a server certificate to match a hostname if the certificate is missing a subjectAlternativeName extension, as long as it successfully validates and chains to a locally-installed CA certificates.

  • Data type: Boolean [Windows:REG_DWORD]
  • Windows registry location: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome
  • Windows/Mac/Linux/Android preference name: EnableCommonNameFallbackForLocalAnchors
  • Value: 0x00000001 (Windows), true(Linux), true (Android), <true /> (Mac)

To create a Windows registry key, simply follow these steps:

  1. Open Notepad
  2. Copy and paste the entire content as shown below into notepad
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"EnableCommonNameFallbackForLocalAnchors"=dword:00000001
  1. Go to File > Save as

  2. Make sure to select Save as type: All Files

  3. Name the file under filename: enable_cn.reg

  4. Select a preferred location for the file

  5. Click on Save

  6. Double click on the saved file to run

  7. Click on Yes on the Registry Editor warning

It is recommended to back up your registry in Windows before making any changes. See the following Microsoft KB article on how to back up and restore the registry in Windows.

Note: This registry key change can be deployed to all users via group policy management console in Windows server operating systems.