Technical Tip: Certificate errors in Google Chrome for FortiManager and FortiAnalyzer SSL certificates

iyotov · ‎12-28-2018

Description

This article describes about the certificate errors in Google Chrome for the SSL certificates of FortiManager and FortiAnalyzer.

A certificate signing request is generated in FortiManager/FortiAnalyzer.

The certificate is signed by well known trusted Certification Authority (CA) and correctly imported back to FortiManager/FortiAnalyzer.

The new certificate is selected in FortiManager/FortiAnalyzer under System Settings - > Admin Settings - > HTTPS & Web Service Certificate.

Although this certificate is accepted without errors by other browsers, Google Chrome is still returning privacy warning:

Solution

For Chrome 58 and later, only the subjectAlternativeName extension, not commonName, is used to match the domain name and site certificate.

The certificate subject alternative name can be a domain name or IP address. If the certificate does not have the correct subjectAlternativeName extension, users get a NET::ERR_CERT_COMMON_NAME_INVALID error letting them know that the connection is not private.

When generating a Certificate Signing Request (CSR) in FortiManager/FortiAnalyzer, make sure to fill in the Subject Alternative Name (SAN) field using the correct syntax.

The string should always start with 'DNS:' (ie: DNS:fmg.example.com), otherwise the SAN attribute will not be included in the request.

For example:

Once the CSR is generated, user may use the tools provided by the trusted CA, or various online apps provided by other CAs, in order to verify if all attributes are in order before sending the request for signing.

For example by using the Check the CSR tool on the Digicert web page at: https://ssltools.digicert.com/checker/views/csrCheck.jsp

Or use this certlogik tool to see more details:

https://certlogik.com/decoder/