5

I am using a signed SSL certificate generated by our internal CA. I have added subject alternative names so that myserver.example.net and myserver are both valid for the site. This works correctly in both Firefox and IE, but in Chrome users are still getting a warning message when they use the short name myserver.

My question is, Is there any way for users to use myserver without getting the SSL warning in Chrome?

H.-Dirk Schmitt
  • 654
  • 4
  • 9
selspiero
  • 53
  • 3
  • Are you getting a name mismatch warning or something else? – cjc Nov 16 '12 at 15:38
  • 2
    Is this for a true website or something like OWA for Exchange? Also, with Chrome it should give you a details error as to the rejection or warning. Can you please post that or a screen capture of the error? – rws907 Nov 16 '12 at 15:42
  • It is odd that IE is fine, but Chrome isn't. Chrome uses the same cert database. – Zoredache Nov 16 '12 at 16:37
  • i get the 'identity of this website cannot be validated' message when accessing the short name. so basically it is telling me that this is an internal website, and cannot be validated by an certificate authority. when using the FQDN - all is well, and i get a normal green padlock. – selspiero Nov 21 '12 at 11:19
  • Yes. Tell Java to use the Windows certificate store. – Bill_Stewart Dec 06 '20 at 16:56

1 Answers1

3

If you are using an internal (or non-custom) CA ,you have also the responsibility to distribute your CA-certificate to the applications in your organisation.
Some applications pick the certificate from a system wide configuration (e.g. /etc/ssl/certs below ubuntu). Other like Firefox, Chromium use an own (per application) configuration.

If it works for IE and Firefox, this task seems to be already done for some applications.

For chromium (below linux) you can do this with the following (bash) code fragment:

certificateFile="/etc/MY_CA.cert.pem"
certificateName="Snakeoil Ltd."
if test -d ~/.pki
then
  echo "install '${certificateName}' in for chromium in ~/.pki"
  certutil -A \
     -n "${certificateName}" \
     -t "TCu,Cuw,Tuw" \
     -i ${certificateFile} \
     -d sql:${HOME}/.pki/nssdb
 else
   echo "no user configuration for chromium found"
 fi

Some other useful hints for this task are covered here: http://www.computer42.org/xwiki-static/exported/DevNotes/xwiki.DevNotes.OpenSSL.html

H.-Dirk Schmitt
  • 654
  • 4
  • 9
  • thanks for this, but this is a IIS website and Chrome is running on Windows. – selspiero Nov 21 '12 at 11:20
  • It doesn't depend on the webserver. Because chrome normally use the windows certificate store there should be no problem if it works with IE (see e.g. http://tig.csail.mit.edu/wiki/TIG/CertificatesChrome). Check if your problem is correlated to https://code.google.com/p/chromium/issues/detail?id=37142 . – H.-Dirk Schmitt Nov 22 '12 at 09:25