2

I have created an internal ADCS CA using this guide, and then submitted a certificate request to create a wild card certificate for my domain eds89.com. Intention behind this being to apply to some of my internally accessible test servers for access from domain joined machines and suppressing cert errors.

All seems to be well, and the certificate chain seems to be trusted for an internal domain joined machine, however, when I browse to a site using rd.eds89.com, Chrome gives me a COMMON_NAME_INVALID error.

If I look at the certificate details, I can see that it is issued to *.eds89.com so I am confused as to why it thinks it is invalid? Here is the cert subject

CN = *.eds89.com
OU = Home
O = Eds
L = Ipswich
S = Suffolk
C = GB

For reference, here is the guide I followed to create the cert.

Can anyone advise if I need to redo the request with different settings to account for any changes to the way Chrome handles certs or if I am just completely off the mark?

James Edmonds
  • 1,733
  • 10
  • 37
  • 59
  • Common name does not matter since it is long deprecated and Chrome ignores it since a while. What you need is an appropriate Subject Alternative Name (SAN) in your certificate. It is unclear if this matches the domain since you don't show it. – Steffen Ullrich Apr 30 '18 at 05:34
  • To be honest, you were quite unlucky and found the worst articles I could imagine. They are deadly outdated and wrong in many aspects. I would suggest to try my article: https://www.sysadmins.lv/blog-en/web-server-certificate-enrollment-with-san-extension.aspx – Crypt32 Apr 30 '18 at 06:54
  • Ok, so just need to submit a new cert request with my wildcard also added as a SAN? Will give that a go. – James Edmonds Apr 30 '18 at 10:45
  • Is there a better more recent guide on deploying an AD CA, as I think it works with a SAN now but gives me a weak algorithm error – James Edmonds Apr 30 '18 at 14:34
  • I'm an idiot, I missed the note on the page that said: "Note: Do not select SHA1 as it is being deprecated by all browsers and Microsoft Server Authentication; use SHA256 instead." – James Edmonds Apr 30 '18 at 15:15

1 Answers1

4

Answer(s):

I needed to also populate a SAN with a wildcard entry, and also move from SHA1 to SHA256.

James Edmonds
  • 1,733
  • 10
  • 37
  • 59