Google Chrome Not Trusting Certificate From Firewall

Google Chrome Not Trusting Certificate From Firewall

45765
Created On 04/17/19 13:12 PM - Last Modified 04/18/19 16:42 PM


Symptom


  • Google Chrome is not trusting the certificate presented by the firewall.
  • Internet Explorer, Safari and Opera browsers all trust the certificate.
  • The certificate is generated on the firewall.
  • The certificate's Common Name (CN) does match the IP address or Host Name accessed.
Error: NET::ERR_CERT_COMMON_NAME_INVALID

Snapshot 1: Google Chrome
User-added image

Snapshot 2: Internet Explorer
User-added image

Environment


PAN-OS

Cause


During Transport Layer Security (TLS) connections, Google Chrome checks to make sure the connection to the site is using a valid, trusted server certificate.

For Google Chrome 58 and later, only the subjectAlternativeName extension, not commonName, is used to match the domain name and website certificate. The certificate subjectAlternativeName can be a domain name or IP address.

If the certificate doesn’t have the correct subjectAlternativeName extension, users get a NET::ERR_CERT_COMMON_NAME_INVALID error, letting them know that the connection isn’t private.

Resolution


While generating a certificate on the firewall, configure Host Name, IP, or Alt Email fields, as all will act as subjectAlternativeName. It is recommended to match the Host Name or IP to the Common Name of the certificate.
User-added image

Additional Information


For additional information, please reference the following article:
https://support.google.com/chrome/a/answer/7391219?hl=en#
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLdbCAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language