cr314 Frequent Contributor.
Frequent Contributor.
467 views

Self-signed certificate for PAM and Chrome

Jump to solution
Hello everyone,

I'm installed a self-signed certificate in PAM, when I'm using Chrome ver 72 I saw the next message when I try to access to Framework Manager:

NET::ERR_CERT_COMMON_NAME_INVALID

In this link https://productforums.google.com/forum/#!topic/chrome/ndYP3Ca36Og, they mentioned that "Chrome 58 no longer matches the Common Name (CN) in certs". This applied for most recent versions.

Could you tell me please How can generate a CSR to generate a self-signed certificate to use with Chrome?

I tested with Microsoft Edge and Firefox, it's working with those browsers.

Thanks in advance.

Regards.
0 Likes
1 Solution

Accepted Solutions
Micro Focus Expert
Micro Focus Expert

Re: Self-signed certificate for PAM and Chrome

Jump to solution

The following TID should help resolve this problem:
https://support.microfocus.com/kb/doc.php?id=7023977

It relates to creating an appropriate CSR as defined in RFC 5280 using the preferred subjectAltName extension. "Common Name" was deprecated and support for it was dropped by popular browsers like Google and Firefox, so it is recommended to use the preferred extension instead.

2 Replies
Micro Focus Expert
Micro Focus Expert

Re: Self-signed certificate for PAM and Chrome

Jump to solution

The following TID should help resolve this problem:
https://support.microfocus.com/kb/doc.php?id=7023977

It relates to creating an appropriate CSR as defined in RFC 5280 using the preferred subjectAltName extension. "Common Name" was deprecated and support for it was dropped by popular browsers like Google and Firefox, so it is recommended to use the preferred extension instead.

Knowledge Partner
Knowledge Partner

Re: Self-signed certificate for PAM and Chrome

Jump to solution

Java as of 1.8 build 181 level started requiring that the certificate name (and Subject Alternate name) match the DNS name used in the request.

Which is super annoying when you use an alias on your service and the self signed cert uses the real server name by default.

 

Short answer, go remake your cert with the proper name as the subject alternate name with the main name, the IP address, and any other possible names users might come in from.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.