the stream

fallout of Chrome removing support for commonName matching in certificates

Alexander Bochmann Tuesday 09 of May, 2017
Some time ago, Google announced that they would only look at the subjectAltName in certificates from Chrome 58 on.

The compatibility risk for removing commonName is low. RFC 2818 has deprecated this for nearly two decades, and the baseline requirements (which all publicly trusted certificate authorities must abide by) has required the presence of a subjectAltName since 2012.

Yeah. Turns out that no one in our company had known about that, and almost all of the SSL server certificates signed by our internal CAs don't carry a subjectAltName. Which wouldn't be that bad if it meant just one more click to bypass the error message... But no, even when acknowledging the certificate problem dialog, Chromium refuses to load most of the resources from an affected server (Javascribpt, CSS files, images, and such)...