Chrome needs to support chained certificate enrollment
Reported by
johndemi...@gmail.com,
Dec 16 2016
|
||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Steps to reproduce the problem: 1. Attempt to collect a personal code-signing, email, or other certificate from a CA. 2. Chrome throws an error (depends on the CA) What is the expected behavior? Chrome should either install or download the cert What went wrong? Chrome apparently isn't handling "chained certificate enrollment"; for reference, see: https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/776/38/ https://social.technet.microsoft.com/Forums/windowsserver/en-US/c6804342-753b-4851-8840-6293b9e9ea79/google-chrome-client-certificate-install-fails?forum=winserversecurity Did this work before? No Chrome version: 55.0.2883.87 Channel: n/a OS Version: OS X 10.12.2 Flash Version: Shockwave Flash 24.0 r0
,
Dec 16 2016
I suspect it's application/x-x509-user-cert, which we only supported importing a single certificate (not a PKCS#7 chain of certificates). That's what the Technet & DigiCert articles are referring to, at least. The change, which as Eric mentioned happened a bit ago, is that support for application/x-x509-user-cert was wholly removed. Now, it's simply downloaded (if the server is properly following the HTTP specification) and it's up to the user to import into the appropriate tool (in the case of the reporter's macOS 10.12.2, the Keychain Access tool is spawned). So I'm going to close this as WontFix. Earlier versions of Chrome intentionally didn't support PKCS#7 blobs in application/x-x509-user-cert (which Firefox and Nokia did), and new versions simply treat it as any other unsupported-by-Chrome mimetype - defer to the OS and the OS' associations (to extension and mime-type)
,
Dec 16 2016
I'd be fine if it just downloaded a certificate, but it doesn't. When one of my users tries to generate a cert from Microsoft Certificate Server using their AD credentials, Safari and Firefox work, but using Chrome there's an error returned (as an HTML page) from the certificate server (see below). It seems that Chrome is not giving the server whatever it needs to generate the cert in order to download it, whereas the other two browsers are. Microsoft Active Directory Certificate Services -- cciu-CERTSERVER-CA Home Error Your request failed. An error occurred while the server was processing your request. Contact your administrator for further assistance. Request Mode: newreq NN - New Request (keygen) Disposition: (never set) Disposition message: (none) Result: Invalid pointer 0x80004003 (-2147467261 E_POINTER) COM Error Info: CCertRequest::Submit: Invalid pointer 0x80004003 (-2147467261 E_POINTER) LastStatus: The operation completed successfully. 0x0 (WIN32: 0) Suggested Cause: No suggestions.
,
Dec 16 2016
Right, so that's not related to downloading certificates, that's related to <keygen>. As Eric mentioned, it's been deprecated since Chrome 49 (you can set a permission to use it, or an enterprise flag) and is being removed in Chrome 57, as the DevTools console has been warning for a year now.
,
Dec 16 2016
Wonderful, that's the information that I needed, thanks much and applogies for my ignorance of the mechanism. With <keygen> re-enabled, Chrome downloads the cert as exepected. I realize that it will be fully removed in a future version, however. Thanks. |
||
►
Sign in to add a comment |
||
Comment 1 by elawrence@chromium.org
, Dec 16 2016Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug