SecurID® Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
Article Number
000036375
Applies To
RSA Product Set: SecurID Access
RSA Product/Service Type: Identity Router
RSA Product/Service Type: Identity Router
Issue
The Google Chrome web browser reports the following error when accessing the Identity Router's Portal for single-sign on:
The screen will appear as shown below. The text that is blurred in the screenshot will be the domain name of the server you are accessing. This will either be your IDR's Portal page, or an intermediate server, such as an IWA server.
Image description
If you click the Advanced link on the page displayed by Chrome, additional information will be displayed, explaining that "[the server's] security certificate does not specify Subject Alternative Names."
Image description
NET::ERR_CERT_COMMON_NAME_INVALID
The screen will appear as shown below. The text that is blurred in the screenshot will be the domain name of the server you are accessing. This will either be your IDR's Portal page, or an intermediate server, such as an IWA server.
Image descriptionIf you click the Advanced link on the page displayed by Chrome, additional information will be displayed, explaining that "[the server's] security certificate does not specify Subject Alternative Names."
Image descriptionCause
RFC 2818 states in Section 3.1 on Server Identity that:
This change is also mandated by CA base requirements. See CA/Browser Forum 2012 Guidance on the Deprecation of Internal Server Names.
Accordingly, Google Chrome version 58 and later issues a warning when only the certificate's Common Name field is available to validate server identity. Chrome now supports only a subjectAltName (Subject Alternate Name or SAN) x.509 certificate extension of type dNSName for server identity.
If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead."
This change is also mandated by CA base requirements. See CA/Browser Forum 2012 Guidance on the Deprecation of Internal Server Names.
Accordingly, Google Chrome version 58 and later issues a warning when only the certificate's Common Name field is available to validate server identity. Chrome now supports only a subjectAltName (Subject Alternate Name or SAN) x.509 certificate extension of type dNSName for server identity.
Resolution
- Send a new certificate signing request to your CA. Discuss the request with your CA's administrator to make sure the signed certificate will include a subjectAltName extension of type dNSName.
- When you have the new certificate, follow the instructions to upload it as a new company certificate in the RSA Cloud Administration Console.
- A new public/private key pair is usually created when a new certificate is issued. If new keys have been created, the new private key file must also be uploaded.
- If there is a new CA certificate chain, the certificate chain must be uploaded. The new CA certificate chain will also need to be installed in the trust store of end user's devices.
Workaround
To be able to use the RSA Identity Router Single-Sign On Portal until a new server certificate can be issued, end users must click Proceed to <server name> (unsafe) link on the Chrome warning page.
In this article
