6

Chrome now throws NET::ERR_CERT_INVALID for some certificates that are supported by other browsers.

The only clue I can find is in this list of questions about the new Chrome Root Store that is also blocking enterprise CA installations.

https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/faq.md

In particular,

The Chrome Certificate Verifier will apply standard processing to include checking:

  • the certificate's key usage and extended key usage are consistent with TLS use-cases.
  • the certificate validity period is not in the past or future.
  • key sizes and algorithms are of known and acceptable quality.
  • whether mismatched or unknown signature algorithms are included.
  • that the certificate does not chain to or through a blocked CA.
  • conformance with RFC 5280.

I verified my certificates work as expected in Edge.

Further, I verified the certificate is version "3", has a 2048-bit key, and has the extended key usage for server authentication.

I still don't understand which "standard" this certificate is expected to conform to when the browser only says "invalid". Is there a simple template or policy I can use?

Improve this question

3 Answers 3

Reset to default
6

Chrome now rejects TLS certificates containing a variable known as pathLenConstraint or sometimes displayed as Path Length Constraint.

I was using certificates issued by Microsoft Active Directory Certificate Services. The Basic Constraints extension was enabled, and the AD CS incorrectly injects the Path length Constraint=0 for end entity, non-CA certificates in this configuration.

The solution is to issue certificates without Basic Constraints. Chrome is equally happy with Basic Constraints on or off, so long as the path length variable is not present.

One of the better resources for troubleshooting was this Certificate Linter:

https://crt.sh/lintcert

It found several errors in the server certificate, including the path length set to zero.

I also found a thread discussing a variety of Certificate Authorities that would issue certificates the same way, so it is a fairly common issue.

https://github.com/pyca/cryptography/issues/3856

Another good resource was the smallstep open source project that I installed as an alternative CA. After generating a generic certificate, the invalid cert error went away and I realized there was something going on between the Microsoft and Google programs.

Improve this answer
3
  • Dear Robert, do you have any idea what is the purpose of limiting the number of "child CAs" using the "PathLengthConstraint" in a certificate? Does it mitigate any specific attack or increase security in anyway?
    – Ebrahim Ghasemi
    Commented Jan 31, 2023 at 19:20
  • 1
    @EbrahimGhasemi If a top-level CA is not controlled by the same party as a signed intermediate CA (which would be unusual) then the pathLenConstraint=0 policy could be used to prevent the intermediate CA from signing any CA certificates. I doubt this has much value as a security feature, and it is certainly irrelevant to the validation of end entity certificates. Google is getting so strict here that they are breaking legitimate certificate chains.
    – Robert Chapin
    Commented Feb 1, 2023 at 20:19
  • Hmm... not quite. Chrome has no problem with X509 Basic Constraints with pathlen set to zero, so long as CA is set to something. True or false doesn't much matter, but without CA the pathlen can't be parsed correctly, and the relevant RFC has declared this shall always be untrustable. So... there's nothing "legit" about an invalid cert.
    – Dagmar d'Surreal
    Commented Mar 15 at 17:00
1

The best favour you can do yourself is to run Chrome with debug logging to find the exact cause of the issue:

chrome --enable-logging --v=1

This, I believe, will print:

ERROR: Target certificate looks like a CA but does not set all CA properties

Meanwhile it seems they have reverted this verification, which if I'm not mistaken will be released as Chrome 111 in the beginning of March.

See: https://chromium-review.googlesource.com/c/chromium/src/+/4119124

Improve this answer
1

Following @Robert's answer, I used https://crt.sh/lintcert to fix all the issues that I had, so my self-signed certificate will keep on working, as it suddenly stopped working and I got NET::ERR_CERT_INVALID

Here's How I did it:

  1. Create a x509.config file for the domain somesubdomain.mydomain.com.test
# https://www.openssl.org/docs/manmaster/man5/x509v3_config.html
cat > "x509.config" << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=critical,CA:true
keyUsage=critical,digitalSignature,nonRepudiation,cRLSign,keyCertSign
subjectAltName=@alt_names
issuerAltName=issuer:copy
subjectKeyIdentifier=hash
[alt_names]
DNS.1=somesubdomain.mydomain.com.test
EOF
  1. Generate a new domain certificate with OpenSSL; Assuming you already have a rootca.pem and rootca.key
openssl x509 -req \
  -days "3650" \
  -in "rootca.pem" \
  -signkey "rootca.key" \
  -extfile "x509.config" \
  -out "somesubdomain.mydomain.com.test.crt"

Following the above, my lint errors/issues are:

cablint WARNING CA certificates should not include subject alternative names
cablint INFO    CA certificate identified
x509lint    ERROR   AKID without a key identifier
x509lint    INFO    Checking as root CA certificate

Even though there's a single ERROR, my Chrome browser trusts the root CA and the self-signed certificate, so everything works well.

For those of you who wish to generate a self-signed certificate for local development with HTTPS with a *.test domain, the following gist does that trick- https://gist.github.com/unfor19/37d6240c35945b5523c77b8aa3f6eca0

Usage:

curl -L --output generate_self_signed_ca_certificate.sh https://gist.githubusercontent.com/unfor19/37d6240c35945b5523c77b8aa3f6eca0/raw/07aaa1035469f1e705fd74d4cf7f45062a23c523/generate_self_signed_ca_certificate.sh && \ 
chmod +x generate_self_signed_ca_certificate.sh

./generate_self_signed_ca_certificate.sh somesubdomain.mydomain.com
# Will automatically create a self-signed certificate for `somesubdomain.mydomain.com.test`
Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.