Typically, this would occur if the certificate name did not match the hostname of the site.

Please capture a network log of an attempt to load the target site: https://dev.chromium.org/for-testers/providing-network-details and attach it to the bug.

Thanks!

(I'm guessing this is the common name deprecation, but let's wait for the net-internals.)

Yeah, https://www.chromestatus.com/features/4981025180483584 covers this deprecation, which is rolling out in Chrome 58

net-internals attached, thanks all.

Deleted: chrome-net-export-log.json 79.7 KB

chrome-net-export-log.json 79.7 KB View Download

Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

FWIW, I also got bitten by this bug when trying to access my local dev site over HTTPS, I suspect other developers that copy and paste OpenSSL commands from various sites will hit this too.

It doesn't help that Chrome's error message is very confusing too.

Deleted: confusing.png 130 KB

	confusing.png 130 KB View Download

The certificate attached lacks a commonName, so this is https://www.chromestatus.com/features/4981025180483584

As noted there and the Intent to Deprecate and Remove, the commonName field in a certificate is not strongly typed, has been deprecated for 17 years, and creates security risks. Support has been disabled by default in Chrome 58.

For internal enterprises needing support, "EnableCommonNameFallbackForLocalAnchors" exists as an enterprise policy that can be set. OTherwise, certificates should comply with the HTTPS RFC.

Thanks for the quick and detailed response! I'm developing on my local macbook, so I guess i'll need to do some googling for how to set a commonName in a self signed cert. Thanks :)

More precisely, you need to add a subjectAltName to your certificate.

To save time for anyone stumbling upon this thread, I used this OpenSSL config and changed the alternate_names section: https://stackoverflow.com/a/27931596

And then generated the new certificates with:

openssl req -config /path/to/your.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout key.pem -days 365 -out cert.pem

Works great and Chrome is no longer complaining :)

See https://bugs.chromium.org/p/chromium/issues/detail?id=704199#c6 for more detailed instructions.

Could someone inform of how to enable "EnableCommonNameFallbackForLocalAnchors" on a Chromebook that is not a part of an enterprise?

So, if one has added the SubjectAltName and installed the new certificate on the local dev servers, does that have any impact on existing self signed cert's on the server? Seems post installation of new SSL cert, X509 certs are failing.

Re #15: It's not clear what question you're asking. Generally speaking, Web Servers with multiple certificates treat them independently and unless misconfigured, changing the certificate for one hostname on the server will not impact connections to any other host on that server.

does that have any impact on existing self signed cert's on the server? Seems post installation of new SSL cert
https://www.wdfshare.com/counter-strike-source-offline-full-portable.html