SSL Certificate without SubjectAltName won’t be trusted since Chrome 58

It’s a bit too long for tweet, then short entry here instead 🙂

 

TLDR;

Chrome will now require ssl certificate to have Subject Alternative Name (SubjectAltName, SAN) othewrise it won’t be trusted.  Which this SubjectAltName mostly missing in selfsigned certificates.


Issue:

Since Chome 58, There is a change that might impact to website with SSL. Subject Alternate Name is now a required field for Chrome to trust a certificate.

This cause all existing SSL certificates without those SubjectAltName won’t be trusted.

Actually this SubjectAltName was required for several years, but Chome has fallback code that if the value of SubjectAltName is missing, it will use the value from Common name instead.

 

In this Chrome 58, it remove the fallback code which make SubjectAltName is real required now. To enable it back see workaround below. This might impact to development site (ex. localhost) or intranet with selfsign ceritificates.

 

Workaround:

Enable the fallback functionality back from Registry key (for Windows),

see https://www.chromium.org/administrators/policy-list-3#EnableCommonNameFallbackForLocalAnchors

 

Permanent Solution:

Regenerate SSL certificate with SubjectAltName.

Error shown when certificate doesn’t have Subject Alternative Name

Reference:

https://www.chromestatus.com/features/4981025180483584 

https://bugs.chromium.org/p/chromium/issues/detail?id=700595&desc=2

https://www.reddit.com/r/sysadmin/comments/677hep/chrome_58_not_supporting_self_signed_certificates

Scroll to top