Error: NET::ERR_CERT_COMMON_NAME_INVALID when accessing secure web sites via ProxySG or ASG
Last Updated June 25, 2018
Chrome browser version 58 and later, and:
accessing secure websites hosted behind a ProxySG (reverse proxy)
or accessing other websites through a ProxySG or ASG where redirect-mode authentication is performed over SSL
or accessing the management console, via any version of the ProxySG or Advanced Secure Gateway (ASG).
The latest versions of Google’s Chrome browser introduces a much stricter interpretation and implementation of paragraph 3.1 of RFC2818, dealing with Server Identity in the context of HTTP over TLS. This may cause Chrome to present users with a connection-security warning page in a number of situations as noted above.
Although the RFC document doesn’t formally prohibit the use of Common Names in the Subject field of certificates for the purposes of a server’s identification, use of the Subject Alternative Name (subjectAltName or SAN) extension for this purpose is cited as being preferred.
When accessing a site noted in the situation above, a user will see an error/warning page such as the one below with error:
To resolve the issue, a new certificate that includes the subjectAltName needs to be generated and used in place of the old certificate.
The management console or CLI currently does not provide an option to generate a Certificate Signing Request (CSR) that includes the subjectAltName extension.