Why would Chrome ignore the X509v3 Subject Alternative Name in my cert?

Question

I have a cert that include an X509v3 Subject Alternative setting, but Chrome 67.0.3396.99 is saying the Subject Alternative Name is missing even though it looks like it's included in the cert.

Here's the X509v3 portion of the cert as per openssl s_client -showcerts -connect www.mysite.org:443 </dev/null 2> /dev/null | openssl x509 -noout -text

    X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Subject Alternative Name: 
                DNS:www.mysite.org
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
               <redacted>

The Subject of the cert is Subject: CN = www.mysite.org.

Am I missing some additional X509v3 setting that that Chrome's expecting so it'll accept the SAN ?

Answer 1

Chrome 67 is pretty old, but your cert has TWO BasicConstraint extensions which violates RFC5280 4.2, and if I replicate that error (by hand!) my up-to-date 71.0.3578.98 exhibits the same symptoms: NET::ERR_CERT_COMMON_NAME_INVALID and 'advanced' claims 'certificate does not specify Subject Alternative Names' -- even though if I 'proceed to $site (unsafe)' and then click the padlock and look at the cert it is confirmed to have SAN present and correct.

So whatever method was used to create this cert is broken somehow, but Chrome's handling is way suboptimal.

---

ADDED: per comments, here is my latest test data, where one-BC works and two-BC (both forms: critical and not) fails, with both Chrome and Firefox esr:

##### CA key&cert (in PKCS12 for my software):
Bag Attributes
    friendlyName: xca
    localKeyID: 54 69 6D 65 20 31 35 34 38 39 35 38 37 37 37 33 39 34
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCJbIS40YhIbOxE
B3BZt/FLJpF+GhkaP5YOJMO1pvXsMBOVdNh+Qcstsqv5O8J7uIHeBNwHmb7szB9e
RI1p7+XDik+I7tXq9wnzfa4bYw/3kArlixZhnZvLAK51ysBrLlNF4tc8BMo7OZfn
VUD4tJhSrzEJ8jtPLF2mD176VmYzoKQrXyhUNUu5OxRqxOBb88if4mqcreqiZZQN
YFMcnk6sySQJG91XjzIUITQ24H8SoPvL0j6gcXqAGDZ7S27OmiOwjuPgpGirAUf5
YdG72U66GlMCQhjHn797Bpdzto3JA/pLYTyzsw/972Hfs3GYKPh+Gpyb/BJAvEE+
p2/qWzm1AgMBAAECggEAVvOl6rcRbxoUSFsYmHwNncpShqKGvZf8HwjeGEMDGaW1
znw3O3Pv1gNWUwWf4d51tYAHpHuAVZ42PtRLUftrutT5zB+qlNgooLsl/cgpYy/t
5R2jVLJ/z+und3qJU4flQrPsEdrKBr1DQykrSfIi6zZUZgGxyz+8JYVWSDmAwyr0
5POtVdKLgapDGJjypMSuqmhvdDbf4ntSuqTbTrv6c1K8uDs1XrW1XvoEIVBrOZER
0L1IqXWMt8AJ7HniAHQvxm5XGiGNBHoF2HIDDUG0anyBSfhsD9OvAn7cZ4liW3Qn
l4TuAlFq5ApOGc0dSzIK01FSnrmXU3ZqsNzF6HZ5BQKBgQDFu48tLrNSW2BdDqx+
eCR18gLSBXSjvZdqs3sPvMe6nYy3wIbLjGKSW7ySyp2G3l9o4sFe8yA5b9rmNdyq
pWMJxUx+MDiOSJHkW0hIlwcwHTVCioxXHgEJNH45vwA2Mr7GeUSHYohPwL32Yo2A
eVGvk6awZyI0/Tim4RHd/g8TAwKBgQCx62wtV0FUFg0Dj6ggaiOL5s47CdP/qSel
dXtP+7zp45TaZuUhiWtCtgUhd5fI+4NOzftWehTehmdFcIgbGfvdQnw3OU3cYnQR
FH3PZ1rg+xXsZ5+X11fViAEcD0rawhTCDlN4ivL4qBZih8P0RF/QQdB1e2IHT8nr
TkIw5cUG5wKBgEhPqjGs1Xl130zI0/5AM51Kjwt9YUWMTTaBQqzjresqOM7uQp1n
zpiVoeXQ4UD0S9IQswTlRtCafmQYKIXji8+D7tBrFBO8qFXpqAqb6M4IsHSQNHib
iWdzYgH+PraTYj81FAGq4AzCgPX83qCwPVZHWftDDDhyrmghASa9BYg/AoGAVsEI
moM1Y57s8ZOW01dtxcXhQYBlUwBUSKWkXzfMwe8qoeQSTewH1RuUHOGHrYSWXlKp
/1y/2FGJAZ8BftWIrjbBAtx6Tr/jAIERZ5RqB9HmusM8WnmyZnhOsjPyuAByxrzd
jqWSHBU59QlmTzEX1yCAWQi0oAQT3RznwZgIHnkCgYEAoXzPF8H3KLEL8ku491c8
/wlbUJnfLuOiQnREIjsVVfOqEGivAPcTwH8/Xz8wmthbbwJyO+d0zvvMZKuWjqzh
otS4aI/JNLicKc8AubmyK9rIccv7fiXcTpEymEhc5w6A17WxHqDGJIPbeewWlhXS
CFb5QcE/0/ropS8rmOl4DfM=
-----END PRIVATE KEY-----
Bag Attributes
    friendlyName: xca
    localKeyID: 54 69 6D 65 20 31 35 34 38 39 35 38 37 37 37 33 39 34
subject=/CN=US/O=test CA for sf950295
issuer=/CN=US/O=test CA for sf950295
-----BEGIN CERTIFICATE-----
MIIC8DCCAdigAwIBAgIBCjANBgkqhkiG9w0BAQsFADAsMQswCQYDVQQDEwJVUzEd
MBsGA1UEChMUdGVzdCBDQSBmb3Igc2Y5NTAyOTUwHhcNMTkwMTMxMTMxOTM3WhcN
MjAwMjAxMTMxOTM3WjAsMQswCQYDVQQDEwJVUzEdMBsGA1UEChMUdGVzdCBDQSBm
b3Igc2Y5NTAyOTUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCJbIS4
0YhIbOxEB3BZt/FLJpF+GhkaP5YOJMO1pvXsMBOVdNh+Qcstsqv5O8J7uIHeBNwH
mb7szB9eRI1p7+XDik+I7tXq9wnzfa4bYw/3kArlixZhnZvLAK51ysBrLlNF4tc8
BMo7OZfnVUD4tJhSrzEJ8jtPLF2mD176VmYzoKQrXyhUNUu5OxRqxOBb88if4mqc
reqiZZQNYFMcnk6sySQJG91XjzIUITQ24H8SoPvL0j6gcXqAGDZ7S27OmiOwjuPg
pGirAUf5YdG72U66GlMCQhjHn797Bpdzto3JA/pLYTyzsw/972Hfs3GYKPh+Gpyb
/BJAvEE+p2/qWzm1AgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgIE
MA0GCSqGSIb3DQEBCwUAA4IBAQBW/8BsWEuOETdnaC70sCxN9gP/kOnViCSSob3l
pmtxpoWQRYs5cQrCTwB/ivd/PwiZToHnaZKSMFAkWNsNp9Rrmldx+iG887vhQ6Z/
Hm0j3jm4wwhRskkpexphkempaXVdqXnDPKCog/B1LCYWQNS8YVWl93mCmF20/xmx
2nAVxW5nNiO3H/A+pQ0x3kqH9+wcMN7q9U997FRQij3UzweqvAv1JqnS5z4H/yPc
uWCYKP9I9QoTBFLFu2PMyBowEEhkhHUUfyTiAXCZtOMvevmBIHX+hg42D5v8BX9q
ZWeQ8+oEpiig3nuup2oQ3xTYSbIXkVbV2Bla6d9akw7LQUoL
-----END CERTIFICATE-----

##### server private key
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDxI6MlJ6DgfvQ0
miZ3dvbzMpXMkerHGuO3WxzwmKtII5/sVoguf6qjiCmYnI2R71r1c0Ohv4i7aUwW
omaXVZjcnsLfHDZtaTSucQK1vCnrtnobwn0K9tU/yMv/0Y4IKb/cQUSAsjDHz3Sn
FlwtiJuTTUp5PFvN1VWyBBLyEPcJ2VreGoCSqC2vJpdQStA62/YZfS3fYznUk+1a
cntqq0a2/lzA5MPyCc4dx4iNaffkz3eWHtUDkyXbJzl2lpRI0IREecsRG6C8CO75
BlCzl2J1ErKSomOSkQYgNRWAKUzfx89Dfq02ny1OFTfeRtzfmCtvDQbwmJc+zdPm
Usz5CR6BAgMBAAECggEBAOEaroLRwpmvidLNEBm3oYKX90UX9j5V+LvCv3pOWp6m
OvVKNiiKH0Y3pvUDOBlCgvvc1QbaoQ6qllAO3IxraJ6TSkEyuhBbBMXPU4NJmyyi
lMzzOv2QPLQlg2JVQiyWpLc86nDlZyovnKsZ8YTEIM9aeKpCUUUN4MikivcUJTk3
sUqJlABTy9bTE92iA4JqkQmp3KzyYep8QijEfIwkH0qtUkDIr6GXEE+cBQnlP7g+
pVI5n8q+RO5bYhLrGoy7LzzEKsbSFJjIEp/YhVZivH1zEl9Ub6+xst4ywcFFeAkq
iscNpi47SBRGIpWg/T7ND/XjKQT5cOm4L9vnSnILDQECgYEA/9bGHrANikdKD/KC
iCVRlnUxeoSvy8fjAxIQnZUsYfF5XH/xDKKE167Elw05yJRm3QhUxa6h/WjYfaqv
8y1j+v+Nb0D46WbIhni6nzc3FY+e0txmDIw1hDFDDKP/anC9xoUW87xc7P01iKRH
oR04+0Cg1Jxwdsz0ywFHQOPJOxECgYEA8Up+oWN/j2FsA7zPwSAuZczhi0fbrSoA
muy4KTW7Gg2LNPGbXB0daA4foAAuRRvZuTwXrEBENT59g4s0WWUUYwpV0Axr5WeA
VzHUEmbwYBxIgLxjO/jMWesBWZCzUBe/0sQi1ccHYQcOHIiWOKBBOXM5BXEQrGSJ
YrnXEZLdTHECgYEA0a9kPi6pSlZXm252EcQUdK6k2Pf7ZZf0tcWOnLlw4O2bPHcY
R/TD0ErLkcojPAR1sl9rq4IP/rR6C7Vj9HmVYlklwLONzy6Q17YHrwsAOMm3sLc3
ZL1d93SwsaGQa9rvj8/xGd+eghaeU9nhY2miFDvKFbgKbTRaxi/MCKEpgyECgYEA
0kS/uzZw1+rm7Q7h4QOBS1dSiUSSjAGZS2jUR506MkbxM68EWy5IDQCZ0J23tKPD
hSd33bSXe+q8CCEL+ocaUACWrVnVwLEEZ3fVvj+UY7zh9cW1mHKE6irgH0P47ufz
UuF3FeJ+bLBwPK9OcYQ9sqnVXAeepwxpqO4YHIlmbhECgYBpCDKfIdEepDY9BuPh
Ni3Auha5Cwt3f+Z4nkYR0+t/7yNfZ+AWKbjnJuMfF1gGhFvAKyq2K2lTJE1K3bEB
KWWTWce8Q6K9CVjzFcx8tlA4xKmxSsGLXzvzgk8PZcWFTyJPDr65oU0fI4S582fz
N7cpS4+xQtADXZZ2/YiQIh1+cg==
-----END PRIVATE KEY-----

##### certificate 1, single BC
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 11 (0xb)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=US, O=test CA for sf950295
        Validity
            Not Before: Jan 31 13:21:49 2019 GMT
            Not After : Feb  1 13:21:49 2020 GMT
        Subject: CN=test.qo
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:f1:23:a3:25:27:a0:e0:7e:f4:34:9a:26:77:76:
                    f6:f3:32:95:cc:91:ea:c7:1a:e3:b7:5b:1c:f0:98:
                    ab:48:23:9f:ec:56:88:2e:7f:aa:a3:88:29:98:9c:
                    8d:91:ef:5a:f5:73:43:a1:bf:88:bb:69:4c:16:a2:
                    66:97:55:98:dc:9e:c2:df:1c:36:6d:69:34:ae:71:
                    02:b5:bc:29:eb:b6:7a:1b:c2:7d:0a:f6:d5:3f:c8:
                    cb:ff:d1:8e:08:29:bf:dc:41:44:80:b2:30:c7:cf:
                    74:a7:16:5c:2d:88:9b:93:4d:4a:79:3c:5b:cd:d5:
                    55:b2:04:12:f2:10:f7:09:d9:5a:de:1a:80:92:a8:
                    2d:af:26:97:50:4a:d0:3a:db:f6:19:7d:2d:df:63:
                    39:d4:93:ed:5a:72:7b:6a:ab:46:b6:fe:5c:c0:e4:
                    c3:f2:09:ce:1d:c7:88:8d:69:f7:e4:cf:77:96:1e:
                    d5:03:93:25:db:27:39:76:96:94:48:d0:84:44:79:
                    cb:11:1b:a0:bc:08:ee:f9:06:50:b3:97:62:75:12:
                    b2:92:a2:63:92:91:06:20:35:15:80:29:4c:df:c7:
                    cf:43:7e:ad:36:9f:2d:4e:15:37:de:46:dc:df:98:
                    2b:6f:0d:06:f0:98:97:3e:cd:d3:e6:52:cc:f9:09:
                    1e:81
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment, Data Encip
herment
            X509v3 Subject Alternative Name:
                DNS:test.qo
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Key Identifier:
                00:11:22:33:44:55:66:77:00:11:22:33:44:55:66:77
    Signature Algorithm: sha256WithRSAEncryption
        21:95:ea:18:ee:e1:de:d7:89:27:0b:27:43:d5:17:60:a3:d0:
        c1:ee:00:90:f7:ce:80:84:ac:7f:b3:21:0f:41:54:a3:26:39:
        60:76:2a:98:de:66:ab:ce:10:67:24:e9:36:fc:e7:9d:4a:5d:
        93:85:50:a6:5d:8a:84:98:78:b8:82:23:da:11:bc:2a:84:1f:
        9e:3f:b5:2b:af:19:87:02:12:2d:a8:ed:1d:d0:e3:17:1f:f4:
        bb:9a:fe:20:75:74:1a:7f:2c:a5:34:c4:c9:c5:c4:b9:68:ce:
        e1:21:4b:3f:9d:03:cf:d2:0e:f8:57:89:92:ac:78:38:c9:9b:
        2e:7e:d8:a7:8f:51:9b:c5:61:f7:d7:12:4e:a6:99:7e:59:a3:
        ae:02:c7:93:2f:4d:33:d8:d2:56:f9:fc:ba:a8:50:d2:0b:65:
        f0:df:6d:58:d5:0f:78:f7:80:cc:5b:f7:f6:5f:f7:89:e9:3f:
        dc:37:6b:2f:b8:dd:1b:4e:4a:3b:e1:d5:12:88:9b:18:20:cf:
        de:ec:d4:b9:02:1c:96:2d:d9:ee:9a:4f:99:68:a4:c6:a9:8c:
        b1:c5:38:cf:04:a0:89:73:47:16:f0:57:51:a0:ea:ff:36:1a:
        ba:81:ff:5c:bf:50:f9:14:a5:87:35:10:a6:cc:c1:f4:a5:45:
        ca:6b:28:4b
-----BEGIN CERTIFICATE-----
MIIDFzCCAf+gAwIBAgIBCzANBgkqhkiG9w0BAQsFADAsMQswCQYDVQQDEwJVUzEd
MBsGA1UEChMUdGVzdCBDQSBmb3Igc2Y5NTAyOTUwHhcNMTkwMTMxMTMyMTQ5WhcN
MjAwMjAxMTMyMTQ5WjASMRAwDgYDVQQDEwd0ZXN0LnFvMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA8SOjJSeg4H70NJomd3b28zKVzJHqxxrjt1sc8Jir
SCOf7FaILn+qo4gpmJyNke9a9XNDob+Iu2lMFqJml1WY3J7C3xw2bWk0rnECtbwp
67Z6G8J9CvbVP8jL/9GOCCm/3EFEgLIwx890pxZcLYibk01KeTxbzdVVsgQS8hD3
Cdla3hqAkqgtryaXUErQOtv2GX0t32M51JPtWnJ7aqtGtv5cwOTD8gnOHceIjWn3
5M93lh7VA5Ml2yc5dpaUSNCERHnLERugvAju+QZQs5didRKykqJjkpEGIDUVgClM
38fPQ36tNp8tThU33kbc35grbw0G8JiXPs3T5lLM+QkegQIDAQABo14wXDAJBgNV
HRMEAjAAMAsGA1UdDwQEAwIE8DASBgNVHREECzAJggd0ZXN0LnFvMBMGA1UdJQQM
MAoGCCsGAQUFBwMBMBkGA1UdDgQSBBAAESIzRFVmdwARIjNEVWZ3MA0GCSqGSIb3
DQEBCwUAA4IBAQAhleoY7uHe14knCydD1Rdgo9DB7gCQ986AhKx/syEPQVSjJjlg
diqY3marzhBnJOk2/OedSl2ThVCmXYqEmHi4giPaEbwqhB+eP7UrrxmHAhItqO0d
0OMXH/S7mv4gdXQafyylNMTJxcS5aM7hIUs/nQPP0g74V4mSrHg4yZsuftinj1Gb
xWH31xJOppl+WaOuAseTL00z2NJW+fy6qFDSC2Xw321Y1Q9494DMW/f2X/eJ6T/c
N2svuN0bTko74dUSiJsYIM/e7NS5AhyWLdnumk+ZaKTGqYyxxTjPBKCJc0cW8FdR
oOr/Nhq6gf9cv1D5FKWHNRCmzMH0pUXKayhL
-----END CERTIFICATE-----

##### certificate 2, double BC (not critical) 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 12 (0xc)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=US, O=test CA for sf950295
        Validity
            Not Before: Jan 31 13:21:50 2019 GMT
            Not After : Feb  1 13:21:50 2020 GMT
        Subject: CN=test.qo
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:f1:23:a3:25:27:a0:e0:7e:f4:34:9a:26:77:76:
                    f6:f3:32:95:cc:91:ea:c7:1a:e3:b7:5b:1c:f0:98:
                    ab:48:23:9f:ec:56:88:2e:7f:aa:a3:88:29:98:9c:
                    8d:91:ef:5a:f5:73:43:a1:bf:88:bb:69:4c:16:a2:
                    66:97:55:98:dc:9e:c2:df:1c:36:6d:69:34:ae:71:
                    02:b5:bc:29:eb:b6:7a:1b:c2:7d:0a:f6:d5:3f:c8:
                    cb:ff:d1:8e:08:29:bf:dc:41:44:80:b2:30:c7:cf:
                    74:a7:16:5c:2d:88:9b:93:4d:4a:79:3c:5b:cd:d5:
                    55:b2:04:12:f2:10:f7:09:d9:5a:de:1a:80:92:a8:
                    2d:af:26:97:50:4a:d0:3a:db:f6:19:7d:2d:df:63:
                    39:d4:93:ed:5a:72:7b:6a:ab:46:b6:fe:5c:c0:e4:
                    c3:f2:09:ce:1d:c7:88:8d:69:f7:e4:cf:77:96:1e:
                    d5:03:93:25:db:27:39:76:96:94:48:d0:84:44:79:
                    cb:11:1b:a0:bc:08:ee:f9:06:50:b3:97:62:75:12:
                    b2:92:a2:63:92:91:06:20:35:15:80:29:4c:df:c7:
                    cf:43:7e:ad:36:9f:2d:4e:15:37:de:46:dc:df:98:
                    2b:6f:0d:06:f0:98:97:3e:cd:d3:e6:52:cc:f9:09:
                    1e:81
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment, Data Encip
herment
            X509v3 Subject Alternative Name:
                DNS:test.qo
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                00:11:22:33:44:55:66:77:00:11:22:33:44:55:66:77
    Signature Algorithm: sha256WithRSAEncryption
        2a:06:eb:51:d6:74:b4:86:ea:ec:6c:d8:a2:a1:d3:75:c7:9f:
        13:5f:15:3f:50:f8:8b:2d:3d:69:e5:b3:18:b6:73:10:70:06:
        43:e4:c3:4c:ef:55:de:bf:30:cb:3f:b2:4a:6b:f5:2b:c8:ce:
        21:a0:b5:db:e2:41:7b:7a:cd:e9:07:f8:6a:88:cd:a0:da:54:
        1a:ad:37:f0:22:00:0a:af:96:d9:eb:00:52:e3:70:3d:66:e3:
        95:f7:be:ad:3a:78:79:3a:b4:8e:65:c2:78:dc:91:30:78:ad:
        a6:46:5f:c2:f3:0f:a0:82:ef:78:d1:2d:cc:1a:69:94:e3:a9:
        4c:c4:43:f7:f9:0d:69:81:64:b7:9d:20:83:5a:2a:10:c9:ed:
        cb:64:32:f9:aa:ef:87:76:66:a6:40:9f:1e:b0:e7:27:e6:62:
        09:ec:4f:3d:d1:f9:c7:d6:f9:f9:82:c2:86:3e:8a:a8:cf:be:
        9a:92:cb:bc:f1:85:f9:87:e3:32:d8:69:bb:ed:f8:71:7a:4c:
        30:fd:6a:b8:23:5e:1f:ad:3a:1c:64:29:01:19:22:68:a1:09:
        d2:53:20:c2:3c:62:17:48:d5:c4:e0:18:de:7c:9c:bc:ab:00:
        c7:d9:75:9c:0e:cc:47:a8:e1:17:04:34:93:df:63:b9:1b:4a:
        3f:f0:ab:6d
-----BEGIN CERTIFICATE-----
MIIDIjCCAgqgAwIBAgIBDDANBgkqhkiG9w0BAQsFADAsMQswCQYDVQQDEwJVUzEd
MBsGA1UEChMUdGVzdCBDQSBmb3Igc2Y5NTAyOTUwHhcNMTkwMTMxMTMyMTUwWhcN
MjAwMjAxMTMyMTUwWjASMRAwDgYDVQQDEwd0ZXN0LnFvMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA8SOjJSeg4H70NJomd3b28zKVzJHqxxrjt1sc8Jir
SCOf7FaILn+qo4gpmJyNke9a9XNDob+Iu2lMFqJml1WY3J7C3xw2bWk0rnECtbwp
67Z6G8J9CvbVP8jL/9GOCCm/3EFEgLIwx890pxZcLYibk01KeTxbzdVVsgQS8hD3
Cdla3hqAkqgtryaXUErQOtv2GX0t32M51JPtWnJ7aqtGtv5cwOTD8gnOHceIjWn3
5M93lh7VA5Ml2yc5dpaUSNCERHnLERugvAju+QZQs5didRKykqJjkpEGIDUVgClM
38fPQ36tNp8tThU33kbc35grbw0G8JiXPs3T5lLM+QkegQIDAQABo2kwZzAJBgNV
HRMEAjAAMAsGA1UdDwQEAwIE8DASBgNVHREECzAJggd0ZXN0LnFvMBMGA1UdJQQM
MAoGCCsGAQUFBwMBMAkGA1UdEwQCMAAwGQYDVR0OBBIEEAARIjNEVWZ3ABEiM0RV
ZncwDQYJKoZIhvcNAQELBQADggEBACoG61HWdLSG6uxs2KKh03XHnxNfFT9Q+Ist
PWnlsxi2cxBwBkPkw0zvVd6/MMs/skpr9SvIziGgtdviQXt6zekH+GqIzaDaVBqt
N/AiAAqvltnrAFLjcD1m45X3vq06eHk6tI5lwnjckTB4raZGX8LzD6CC73jRLcwa
aZTjqUzEQ/f5DWmBZLedIINaKhDJ7ctkMvmq74d2ZqZAnx6w5yfmYgnsTz3R+cfW
+fmCwoY+iqjPvpqSy7zxhfmH4zLYabvt+HF6TDD9argjXh+tOhxkKQEZImihCdJT
IMI8YhdI1cTgGN58nLyrAMfZdZwOzEeo4RcENJPfY7kbSj/wq20=
-----END CERTIFICATE-----

##### certificate 3, double BC (critical)
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 13 (0xd)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=US, O=test CA for sf950295
        Validity
            Not Before: Jan 31 13:21:51 2019 GMT
            Not After : Feb  1 13:21:51 2020 GMT
        Subject: CN=test.qo
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:f1:23:a3:25:27:a0:e0:7e:f4:34:9a:26:77:76:
                    f6:f3:32:95:cc:91:ea:c7:1a:e3:b7:5b:1c:f0:98:
                    ab:48:23:9f:ec:56:88:2e:7f:aa:a3:88:29:98:9c:
                    8d:91:ef:5a:f5:73:43:a1:bf:88:bb:69:4c:16:a2:
                    66:97:55:98:dc:9e:c2:df:1c:36:6d:69:34:ae:71:
                    02:b5:bc:29:eb:b6:7a:1b:c2:7d:0a:f6:d5:3f:c8:
                    cb:ff:d1:8e:08:29:bf:dc:41:44:80:b2:30:c7:cf:
                    74:a7:16:5c:2d:88:9b:93:4d:4a:79:3c:5b:cd:d5:
                    55:b2:04:12:f2:10:f7:09:d9:5a:de:1a:80:92:a8:
                    2d:af:26:97:50:4a:d0:3a:db:f6:19:7d:2d:df:63:
                    39:d4:93:ed:5a:72:7b:6a:ab:46:b6:fe:5c:c0:e4:
                    c3:f2:09:ce:1d:c7:88:8d:69:f7:e4:cf:77:96:1e:
                    d5:03:93:25:db:27:39:76:96:94:48:d0:84:44:79:
                    cb:11:1b:a0:bc:08:ee:f9:06:50:b3:97:62:75:12:
                    b2:92:a2:63:92:91:06:20:35:15:80:29:4c:df:c7:
                    cf:43:7e:ad:36:9f:2d:4e:15:37:de:46:dc:df:98:
                    2b:6f:0d:06:f0:98:97:3e:cd:d3:e6:52:cc:f9:09:
                    1e:81
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment, Data Encip
herment
            X509v3 Subject Alternative Name:
                DNS:test.qo
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                00:11:22:33:44:55:66:77:00:11:22:33:44:55:66:77
    Signature Algorithm: sha256WithRSAEncryption
        3d:8b:c3:57:fd:0a:0d:5d:5d:f5:c2:cd:9c:e0:f3:1a:6f:a6:
        25:64:56:6f:09:7c:6c:45:dd:a2:97:98:67:43:8c:12:b3:11:
        69:df:94:fa:48:07:80:fc:36:d2:20:de:61:1a:6d:e5:f8:b5:
        8b:e3:11:31:1b:b8:d5:17:f3:37:bb:f5:1c:bc:78:87:bf:1a:
        1c:5e:d1:67:76:6a:06:81:ea:44:54:52:cb:6b:5b:47:c8:61:
        3a:04:07:b4:6d:0b:c9:bd:81:80:04:ec:3f:58:86:60:34:10:
        b2:56:8e:12:73:0e:3d:c4:28:60:ec:eb:0c:84:9d:9a:57:44:
        6a:af:40:66:6c:36:26:b4:50:ad:28:a4:52:fe:0f:1e:bc:23:
        fb:58:ef:b1:9f:ae:08:c2:82:9e:ea:29:6d:bd:8b:d9:2e:bc:
        ab:93:53:3e:56:74:0e:57:2f:8d:a5:37:c7:f1:74:a7:c6:76:
        66:83:3f:c9:c3:1c:9f:fb:60:c9:85:a6:a3:4b:ff:e9:c6:a1:
        e1:56:ad:87:78:93:62:f5:f1:bc:5a:8e:b3:32:32:63:60:6c:
        f2:a8:62:d7:6a:f6:58:a0:84:e5:ad:74:c8:e3:ff:75:8b:13:
        9a:19:33:94:0b:67:48:9a:e2:37:be:cb:51:1b:da:fc:4f:df:
        0b:1e:df:07
-----BEGIN CERTIFICATE-----
MIIDJTCCAg2gAwIBAgIBDTANBgkqhkiG9w0BAQsFADAsMQswCQYDVQQDEwJVUzEd
MBsGA1UEChMUdGVzdCBDQSBmb3Igc2Y5NTAyOTUwHhcNMTkwMTMxMTMyMTUxWhcN
MjAwMjAxMTMyMTUxWjASMRAwDgYDVQQDEwd0ZXN0LnFvMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA8SOjJSeg4H70NJomd3b28zKVzJHqxxrjt1sc8Jir
SCOf7FaILn+qo4gpmJyNke9a9XNDob+Iu2lMFqJml1WY3J7C3xw2bWk0rnECtbwp
67Z6G8J9CvbVP8jL/9GOCCm/3EFEgLIwx890pxZcLYibk01KeTxbzdVVsgQS8hD3
Cdla3hqAkqgtryaXUErQOtv2GX0t32M51JPtWnJ7aqtGtv5cwOTD8gnOHceIjWn3
5M93lh7VA5Ml2yc5dpaUSNCERHnLERugvAju+QZQs5didRKykqJjkpEGIDUVgClM
38fPQ36tNp8tThU33kbc35grbw0G8JiXPs3T5lLM+QkegQIDAQABo2wwajAJBgNV
HRMEAjAAMAsGA1UdDwQEAwIE8DASBgNVHREECzAJggd0ZXN0LnFvMBMGA1UdJQQM
MAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwGQYDVR0OBBIEEAARIjNEVWZ3ABEi
M0RVZncwDQYJKoZIhvcNAQELBQADggEBAD2Lw1f9Cg1dXfXCzZzg8xpvpiVkVm8J
fGxF3aKXmGdDjBKzEWnflPpIB4D8NtIg3mEabeX4tYvjETEbuNUX8ze79Ry8eIe/
Ghxe0Wd2agaB6kRUUstrW0fIYToEB7RtC8m9gYAE7D9YhmA0ELJWjhJzDj3EKGDs
6wyEnZpXRGqvQGZsNia0UK0opFL+Dx68I/tY77GfrgjCgp7qKW29i9kuvKuTUz5W
dA5XL42lN8fxdKfGdmaDP8nDHJ/7YMmFpqNL/+nGoeFWrYd4k2L18bxajrMyMmNg
bPKoYtdq9lighOWtdMjj/3WLE5oZM5QLZ0ia4je+y1Eb2vxP3wse3wc=
-----END CERTIFICATE-----

Answer 2

There were a few problems with my cert.

• It had a duplicate basic constraint as mentioned above, but fixing that didn't resolve the issue. I did find that Chromium rejects duplicate extensions here.
• I had some bugs when I was creating the subject key and authority key identifiers. This answer helped me fix that.
• The main problem was that I was setting the critical setting on extensions to false. I should have been omitting the critical setting so it would default to false. This is checked in Chronium source here. DER encoding requires that the shortest encoding be used and allowing the optional critical setting to default to false leads to a shorter encoding than setting it explicitly.

Here are some other random comments:

• NET::ERR_CERT_COMMON_NAME_INVALID is the default error for cert issues in Chromium, and most of the cert parsing errors return false without any sort of logging, so it looks like there are many cert parsing errors that will be presented to the user as an invalid common name error.
• https://lapo.it/asn1js/ was useful for decoding the certs. Viewing the certs in Chrome or using openssl did not distinguish between the extensions defaulting to non-critical or having it set explicitly
• If you are running into similar cert issues, maybe look into a x509 linter like https://github.com/globalsign/certlint or https://github.com/zmap/zlint.