I am using a signed SSL certificate generated by our internal CA. I have added subject alternative names so that myserver.example.net and myserver are both valid for the site. This works correctly in both Firefox and IE, but in Chrome users are still getting a [1]warning message("The identity of this site has not been verified.") when they use the short name myserver. The CA is installed and Chrom finds it just fine when using the FQDN. It's when using the hostname("uname -n"), part of the SAN, that the certificate becomes unverified. As indicated the error produced is vary generic. According to what I've read if there is a SAN the common name should be ignored and this seems to be the case. FQDN that are listed in the SAN seem to work, it's only nodenames found in the SAN causing this problem. The CA being used here is from a large(Multiple class A networks) corporation with thousands of clients and hundreds of servers. The prevailing browser here is IE and what I'm trying to say is that if we don't see an issue with the way we do things with this large a deployment then Chrome is not [2]behaving like IE and that alone is cause for concern.
My question is, Is there any way for users to use myserver without getting the SSL warning in Chrome?
The error screenshot.
1. http://imageshack.us/a/img259/9624/certerror.png
The ignored initial report to Google, no help from upstream.
2. http://productforums.google.com/d/msg/chrome/FWAtO5uikuE/0zVo9FU9pakJ
Best Answer
Actually Chrome is doing something right here. All SANs in certificates should be forward and reverse resolvable by public DNS. Internal names as well as private IP addresses (say RfC1918) are a bad idea in certificates. The concept of certificates is to prove an entity's identity unambiguously. Since there is more than one host known as 192.168.0.1 as well as more than one host named "mail" or "unix", certificates for these hosts are only valid for parts of the net.
The CA/Browser Forum deprecated the usage of certificates with SANs some time ago. They published a paper describing specifically this matter. It makes sense to enforce this on the client side as well, Google just seems to be the first following the new standards.