Chrome 58 introduces new certificate errors

Filed under: Programming

Yesterday, the team at my day job ran into two new certificate issues for self-signed certificates after Chrome was updated to version 58:

  • NET::ERR_CERT_COMMON_NAME_INVALID – translation, only specifying a common name (CN=domain.com), is no longer enough to have a valid cert, you must now specify a SAN, Subject Alternate Name for your certificate.
  • SHA-1 is no longer a valid hash for a self-signed certificate. Given the latest buzz around SHA-1 collision this is an understandable move from google.

If you’ve been using makecert.exe to generate your self-signed certificates, it’s time to ditch makecert.exe for PowerShell 5’s New-SelfSignedCerticate. Makecert.exe does not support SAN certificates unless Microsoft has applied an update to the deprecated makecert.exe utility.

# sans, Subject Alternate Name, are created with the -DnsName parameter: multiple can be specified. 
# for wildcards, specify both the common name in the subject and subject alternate name. 

$cert = New-SelfSignedCertifcate -Subject "CN=*.dev.badmishka.co" -DnsName *.dev.badmishka.co,dev.badmishka.co,localhost -HashAlgorithm SHA256 -CertStoreLocation "cert:\currentuser\root"
$cert.thumbprint

If you’re using Azure Cloud Services, you can use PowerShell to get the thumbprint from the new cert and write it to the cloud .cscfg file. If you’re using app services and you’re debugging the site locally, you’ll need to remove the old cert binding and add a new one. This can be accomplished with netsh http commands

netsh http delete sslcert ipport=0.0.0.0:44300

# using variables strings, otherwise, you'll need to run the command in multiple steps because of the {} in the parameters.
#
# netsh
# http
# add sslcert ipport=0.0.0.0:44300 certhash=[thumbprint] appid={[Random Guid]}

$appid = "appid={$([Guid]::NewGuid())}"
$certhash = "certhash=$($cert.thumbprint)"
netsh http add sslcert ipport=0.0.0.0:44300 $certhash $appid

If you’re using a different port number, substitute the port number in place of 44300 which is what IISExpress uses for TSL sites on localhost by default.

This took a while to figure out, so I hope this helps someone else save time.

Nerdy Mishka