Chrome Update 58 Breaks FortiAuthenticator CA Certs

Forum|Forum|9 years ago
April 27, 2017
2 replies
24712 views

I'm currently leveraging my FAC as a "stand alone" CA server and used it to "Sgin" my Fortigate Web Admin Certificates; however last night my Chrome Browser (and assuming other users) updated and now I get the following error:

This server could not prove that it is myfirewall.mydomain.com; its security certificate is from [missing_subjectAltName]. This may be caused by a misconfiguration or an attacker intercepting your connection

Browser Info: Google Chrome Version 58.0.3029.81 (64-bit)

Given that my Gates are not joined to the domain, they do not have a "UPN" or email address so I don't really know how to leverage SAN certificates for them.

Just checking to see if anyone else is currently experiencing this issue as well.

theFWdudeAuthor

New Member

I'm guessing this is talking about the FAC's (root) Local CA Cert .. in that case I need to re-create the local CA cert and point it to the FAC UPN since it's joined to the domain?

emnoc

New Member

Read your certificate back in via openssl ad see what's present

examples

openssl x509 -in <certname> -noout -text

and

opensssl asnparse -i dump <certname>

Since your leading to UPN related what does the openssl show?

ted_barker

New Member

Chrome 58 requires SAN. There is a temp workaround (for 1 year), but you have to re-create the certificates. [link]https://communities.ca.com/thread/241776307[/link] This is from a rddit forum entry: This update just made my day a nightmare. So much certificates to regenerate, and openssl doesn't have a nice way to specify SAN, had to generate configuration files by script... Any reason to request a SAN field in certificate? EDIT: just found out it's related to RFC 2818 from year 2000. The identity check on CN seems deprecated to a dNSName in SAN extension. https://www.reddit.com/r/...ted_warning_for_certs/

ergotherego

New Member

The issue here appears to be that FAC does not support creating certificates using a SAN type of DNS, only URL. Not via the GUI or via CSRs generated manually by OpenSSL.

I created a CSR manually following the instructions below and FAC totally ignored my SAN details.

http://apetec.com/support/GenerateSAN-CSR.htm

Can someone from FortiNet confirm this is the issue, and if/when you can release patch fix for this please?

theFWdudeAuthor

New Member

We, we've pretty much established that SAN cert creation on the FAC is broken, correct? FTNT, any recommendations on this issue?

gsarica

New Member

I was able to create a new cert today with a valid SAN field. You're using the proper syntax? Needs to be entered like DNS:XXXXXX or IP:X.X.X.X

Edit: Sorry just noticed you were referring to FAC, I was able to generate the new cert on a FGT.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded