How to solve NET:ERR_CERT_COMMON_NAME_INVALID in Chrome 58 with Internal Enterprise CA

Chrome v. 58 Reports: Your connection is not Private

Google released Chrome 58 in late April 2017. This update suddenly caused our PeopleSoft and other internal HTTPS sites to report “Your connection is not Private” and ” NET:ERR_CERT_COMMON_NAME_INVALID”:

This was a bit of a surprise for us, and after a little research we realized that our internal Enterprise CA (Certificate Authority) does not populate the Subject Alternative Name (SAN). With update 58, Chrome requires that the SAN field is populated. Certificates signed by commercial certificate authorities automatically add the SAN. However, we have dozens of internal SSL sites, so we setup our own Microsoft Active Directory Certificate Services (CA) to sign our internal SSL certs.

This is what a certificate should contain:

Our CA will add Subject Alternative Name if it’s included in the certificate request. The issue is that when we use the pskeymanager wrapper script from Oracle, there is no way to add the SAN request. I opened a CR with Oracle on this, and they dismissed my request and said our CA did not sign the certificates correctly.

To solve this issue I ended up modifying the pskeymanager to include the SAN request. See below how I accomplished this.

Background on SSL for PeopleSoft

The best place to start is Oracle Support’s Document: “E-SSL: Master Note for Using SSL Certificates on WebLogic: Planning/Installing/Troubleshooting SSL on WebLogic (Doc ID 1240373.1)” and “E-SSL: How to Install/Renew an SSL Certificate on WebLogic for PeopleTools 8.51-8.55 (Doc ID 1555672.1)” which has a very detailed document on configuring SSL. You need an account with Oracle Support to access this document.

However, none of these document addresses the need for a SAN.

Modifying pskeymanager (Windows)

To request a Subject Alternative Name with pskeymanager, the script needs to be modified.

The original script is located in <PS_CFG_HOME>\webserv\<DOMAIN_NAME>\piabin
Create a backup copy of the pskeymanager.cmd file, and open the file in a text editor. It helps if the editor has line numbers, so you can refer to my screenshots

Locate line 559, and add a the new code outlined below

Alternatively, you can copy the code from here:

:genkey_run
:build_response_file
 set response=
 set SAN=
 echo.
 echo Specify a common name for this certificate.
 echo  For server certificates specify the host name as requested by clients.
 echo  For client certificates specify the name is the name of the client.
 echo.
 set /P response=What is the common name for this certificate [%ALIAS%]?
 set response >nul 2>nul
 if errorlevel 1 (
  echo %ALIAS%>responsefile
  set SAN=%ALIAS%
 ) else (
  echo %response%>responsefile
  set SAN=%response%
 )
 
 :specifySAN
 set response=
 set /P response=What is the Subject Alternative Name unit [%SAN%]?
 if errorlevel 1 (
  set SAN=%SAN%
 ) else (
  set SAN=%response%
 )

Locate line 846, and add -ext SAN=dns:%SAN% to the end of the keytool -certreq line:

Save the new pskeymanager as pskeymanager-SAN

Requesting Certificates with a SAN

Note; this shows how to generate cert requests on Windows. The procedure should be similar on Linux/Unix.

Open a Command Prompt as Administrator

CD to <PS_CFG_HOME>\webserv\<DOMAIN_NAME>\piabin

Run: pskeymanager.cmd -create

Complete the certificate request similarly to this screenshot. Notice the request for the SAN

The cert request will be written to <PS_CFG_HOME>\webserv\<DOMAIN_NAME>/

Submitting the Cert Request to the CA

This shows how you can submit the cert request to your internal CA using a Windows AD Certificate Authority:

certreq -attrib "CertificateTemplate:PeopleSoftWebServer-SHA256" -submit HCMDMO_certreq.txt  HCMDMO_cert.cer

After submitting the cert request to the CA, a new certificate will be written to <PS_CFG_HOME>/webserv/<DOMAIN_NAME>/HCMDMO_cert.cer
Here is a screenshot that shows the certificate:

Importing the Cert

Open a Command Prompt as Administrator

CD to <PS_CFG_HOME>\webserv\<DOMAIN_NAME>\piabin

Run: pskeymanager -import -alias HCMDMO -keystorepassword <pass> -file <PS_CFG_HOME>\webserv\<DOMAIN_NAME>\HCMDMO_cert.cer

Follow the instructions in the Oracle Documentation for how to configure Weblogic for SSL.

Certificates for Remote Event Notification (REN) Servers

If the REN servers are configured with SSL new certificates are required to be created in Digital Certificates with SAN. I figured out a rather complicated method for solving this issue, so if there is a need in the community for this solution, please contact me and I’ll blog about it later.

Modifying pskeymanager (Linux)

I had a request to document how to make the change for Linux, so I used the latest HCM PUM image and modified the delivered pskeymanager.sh. This is for PeopleTools 8.56, but it should work for PT 8.55, although the line number may be different.

The original script is located in <PS_CFG_HOME>\webserv\<DOMAIN_NAME>\piabin
Create a backup copy of the pskeymanager.sh file, and open the file in a text editor. It helps if the editor has line numbers, so you can refer to my screenshots

Locate line 647, and add the new code outlined below. The new code should be between “What is the common name for this certificate” and “What is the name of your organizational unit?”

Or copy the code from here:

      SAN=$RESPONSE
      
      VALID_INPUT=no
      while [ "${VALID_INPUT}" = "no" ]; do
        unset RESPONSE
        echo "What is the Subject Alternative Name ['$SAN']?"
        read RESPONSE
        if [ "${RESPONSE}" = "" ]; then
          RESPONSE=$SAN
          VALID_INPUT=yes
        else
          echo ""
          VALID_INPUT=yes
      fi
      SAN=$RESPONSE

Locate line 920, and add -ext SAN=dns:$SAN to the end of the keytool -certreq line:

The rest of the instructions should be similar for Linux and Windows, although your certificate authority may be different.

Consider Donating

If you find value in my blog posts, please consider donating a small amount with PayPal


2 thoughts on “How to solve NET:ERR_CERT_COMMON_NAME_INVALID in Chrome 58 with Internal Enterprise CA

Leave a Reply to Jens Nielsen Cancel reply

Your email address will not be published. Required fields are marked *