随着Google Chrome 58版本的发布,其对SSL证书的验证方式发生了变化,不再支持通过通用名称字段验证,而是转为仅通过Subject Alternative Name (SAN) 属性进行验证。这一改变可能会影响到部分网站的正常运行,特别是那些依赖于私有PKI或未遵循标准的系统。本文详细介绍了这一变更的原因及应对措施。
原因在于chrome的支持发生变化。下面是详细说明。
1. 背景说明:
Google Chrome在4月24日发布的Chrome58做了SSL安全相关的变动,58之前版本Chrome 支持检查SSL证书对域名生效的“通用名称”字段。从Chrome 58开始,只通过校验SAN属性验证证书的有效性, 此更改只会影响私有PKI和其他未遵循规范的软件。如果您发现任何网站返回错误“NET :: ERR_CERT_COMMON_NAME_INVALID”,可能是由于证书不正确使用SAN。 这对联想内部已经签发的SSL证书会造成一定的影响。
2. 解决方法:
重新生成域名包含在SAN扩展中的CSR(证书申请文件)并提交申请,收到新签发的证书后重新导入应用使用。可参考附件操作手册进行生成包含SAN扩展的CSR。
3. 新旧证书区别比对:
4. 相关公告:
中文:https://www.itrus.cn/news_view_309.html
英文:https://bugs.chromium.org/p/chromium/issues/detail?id=700595&desc=2
1. Background Description:
Google Chrome posted Chrome58 on April 24th with a security-related change on SSL. 58 previous versions of Chrome support to check the "common name" field that the SSL certificate takes effect on the domain name, but begin with Chrome 58 version, it verify the validity of the certificate just by checking the SAN attribute. This change only affects private PKI and other non-compliant software. If you find any site that returns the error "NET :: ERR_CERT_COMMON_NAME_INVALID", it might be because the certificate is incorrectly using the SAN. And This will have a certain impact on the SSL certificate already issued by Lenovo.
2. Solution:
Rebuild CSR (certificate request file) with the domain name included a Subject Alternative Name extension and submit the application, use by re-import the application after receiving the newly issued certificate. Details can refer to the attachment to generate a CSR with a SAN attribute manually.
3. The difference between the old and new certificates
4. Related Announcement:
Chinese:https://www.itrus.cn/news_view_309.html
English:https://bugs.chromium.org/p/chromium/issues/detail?id=700595&desc=2
扫一扫
2752
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
