Reputation: 1277
Rejected Client-Certificate in Chrome 61
I have an already long running website secured by self generated client-certificates. It has been working for years without any problems with any browser like IE, Firefox and Chrome.
Since the last Chrome Update (61.0.3163.100) the client certificates are rejected with following error message:
This site can’t provide a secure connection
my.domain.com didn’t accept your login certificate, or one may not have been provided.
Try contacting the system admin.
ERR_BAD_SSL_CLIENT_AUTH_CERT
And the site continues to work fine with any other browser! And i can not find any relevant information out there.
I assume that chrome just raised the minimal requirements for the client certificates, as it did for server certificates a few months ago. but i have no glue how to fix it.
Any hint what is wrong with my certificates?
many thanks
UPDATE 15DEC2017
I still had problems and did not find any answer out there.
After a while i figured out that Chrome does not like the Client Certificates generated by openssl ca.
I was generating the Certificates so:
openssl ca -config openssl.cnf -extensions client -batch -in test.req -out test.cer
I tried everything but i was not able to make it to work with Chrome, but again, it worked with all other Browsers.
Now i am generating the Certificates so:
openssl x509 -req -in test.req -CA ca.cer -CAkey ca.key -extensions client -extfile openssl.cnf -CAserial ca.srl -out test.cer -sha256
And it works, if i compare the out of openssl x509 -in test.cer -noout -text, there is NO difference!! So i am wondering what Chrome does not like of openssl ca.
I would prefer to use openssl ca over openssl x509 since i can not use CRLs and i prefer also startdate/enddate over days.
Any ideas?
Upvotes: 4
Views: 19805
Answers (2)
Reputation: 1277
I was generating the Certificates so:
openssl ca -config openssl.cnf -extensions client -batch -in test.req -out test.cer
I tried everything but i was not able to make it to work with Chrome, but again, it worked with all other Browsers.
Now i am generating the Certificates so:
openssl x509 -req -in test.req -CA ca.cer -CAkey ca.key -extensions client -extfile openssl.cnf -CAserial ca.srl -out test.cer -sha256
And it works!
if i compare the out of openssl x509 -in test.cer -noout -text, there is NO difference!! So i am wondering what Chrome does not like of openssl ca.
Upvotes: 2
Reputation: 19
I found this article on it from this website:https://productforums.google.com/forum/#!topic/chrome/TM0Tg0_YOvg
To solve this issue this : try these steps ; 1) Rest browser by clearing out all data in internet options of IE.. 2) Remove all certificates related to site you are trying access...Chrome shares IE cert 3) make sure that you have internet access afterwards.. if not check proxy settings if it applies 4) try to go to the same site again and if it prompts for certificate insert smart card or install cert. 5) if it does not work you can remove all certs from personal but be careful removing certs form intermediate and else where.
This error is the certificate has an problem on the local machine you are using. for DOD users see https://militarycac.com/dodcerts.htm if there are more issues..I am able using the steps I posted to access DOD sites.. make sure you have installroot3a exe installed as well
Upvotes: 0
Related Questions
- Browser Certificate Validation
- ERROR:ssl_client_socket_openssl.cc(1158)] handshake failed with ChromeDriver Chrome browser and Selenium
- ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED in Google Chrome
- Chrome Invalid SSL Certificate Security Warning
- client certificate authentication not working with chrome and apache2 server
- Digital certificates in chrome
- NET::ERR_CERT_AUTHORITY_INVALID on my site with chrome v.57 only
- Selenium and Chrome error: --ignore-certificate-errors
- SSL Certificate Not Trusted by OS
- SSL error because of standard Google Chrome Script