Article Number
000036375
Applies To
RSA Product Set: SecurID Access
RSA Product/Service Type: Identity Router
Issue
The Google Chrome web browser reports the following error when accessing the Identity Router's Portal for single-sign on:
NET::ERR_CERT_COMMON_NAME_INVALID
The screen will appear as shown below. The text that is blurred in the screenshot will be the domain name of the server you are accessing. This will either be your IDR's Portal page, or an intermediate server, such as an IWA server.
Image description
If you click the Advanced link on the page displayed by Chrome, additional information will be displayed, explaining that "[the server's] security certificate does not specify
Subject Alternative Names."
Image description
Cause
RFC 2818 states in
Section 3.1 on Server Identity that:
If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead."
This change is also mandated by CA base requirements. See
CA/Browser Forum 2012 Guidance on the Deprecation of Internal Server Names.
Accordingly, Google Chrome version 58 and later issues a warning when only the certificate's Common Name field is available to validate server identity. Chrome now supports only a subjectAltName (Subject Alternate Name or SAN) x.509 certificate extension of type dNSName for server identity.
Resolution
- Send a new certificate signing request to your CA. Discuss the request with your CA's administrator to make sure the signed certificate will include a subjectAltName extension of type dNSName.
- When you have the new certificate, follow the instructions to upload it as a new company certificate in the RSA Cloud Administration Console.
- A new public/private key pair is usually created when a new certificate is issued. If new keys have been created, the new private key file must also be uploaded.
- If there is a new CA certificate chain, the certificate chain must be uploaded. The new CA certificate chain will also need to be installed in the trust store of end user's devices.
Workaround
To be able to use the RSA Identity Router Single-Sign On Portal until a new server certificate can be issued, end users must click Proceed to <server name> (unsafe) link on the Chrome warning page.