Technical Tip: Certificate errors in Google Chrome for FortiManager and FortiAnalyzer SSL certificates
Description
This article describes the certificate errors in Google Chrome for the SSL certificates of FortiManager and FortiAnalyzer.
A certificate signing request is generated in FortiManager/FortiAnalyzer.
Scope
FortiManager.
The certificate is signed by a well-known trusted Certification Authority (CA) and correctly imported back to FortiManager/FortiAnalyzer. The new certificate is selected in FortiManager/FortiAnalyzer under System Settings -> Admin Settings -> HTTPS & Web Service Certificate.
Although this certificate is accepted without errors by other browsers, Google Chrome is still returning a privacy warning:
The certificate is signed by a well-known trusted Certification Authority (CA) and correctly imported back to FortiManager/FortiAnalyzer. The new certificate is selected in FortiManager/FortiAnalyzer under System Settings -> Admin Settings -> HTTPS & Web Service Certificate.
Although this certificate is accepted without errors by other browsers, Google Chrome is still returning a privacy warning:
Solution
For Chrome 58 and later, only the subjectAlternativeName extension, not commonName, is used to match the domain name and site certificate.
The certificate subject alternative name can be a domain name or an IP address. If the certificate does not have the correct subjectAlternativeName extension, users receive a NET::ERR_CERT_COMMON_NAME_INVALID error, indicating that the connection is not secure.
When generating a Certificate Signing Request (CSR) in FortiManager/FortiAnalyzer, make sure to fill in the Subject Alternative Name (SAN) field using the correct syntax.
The string should normally start with 'DNS:' (i.e., DNS:fmg.example.com), otherwise the SAN attribute will not be included in the request.
If multiple entries are required in the SAN field, they should be separated by comma+space (i.e., DNS:fmg.example.com, IP:10.11.12.13)
For example:
Once the CSR is generated, the user may use the tools provided by the trusted CA or various online apps provided by other CAs to verify if all attributes are in order before sending the request for signing.
For example, by using the Check CSR tool on the DigiCert web page at: DigiCert View CSR.
Or, use this CertLogik tool to see more details: CSR and Certificate Decoder.
Various local certificate management apps can also be used to verify the CSR content, like OpenSSL or XCA https://www.hohnstaedt.de/xca/
Related articles:
- Technical Tip: Import CA certificates in FortiManager or FortiAnalyzer
- Technical Tip: Certificate errors in Google Chrome for FortiManager and FortiAnalyzer SSL certificat...
- Technical Tip: How to sign a certificate with Subject Alternate Name (SAN)
- Technical Tip: How to upload and set a local certificate to be used in FortiManager/FortiAnalyzer
- Technical Tip: How to test a custom certificate for the FortiManager management interface