Would it be possible for you to attach the .CER file?

This is on Windows 10?

I'm also getting ERR_SSL_SERVER_CERT_BAD_FORMAT when trying to browse using HTTPS on our self-signed devices. 

Used to work on Chrome 60, and works on IE.

I've attached a .p7b file containing the certificate chain. Similarly with the OP, I'm not sure how I can determine what the problem is.

Deleted: cert_chain.p7b 1.6 KB

cert_chain.p7b 1.6 KB Download

Re #2: On what OS platform are you encountering this problem?

re: comment #2: The validity times in the certificates are encoded incorrectly. They do not include the seconds field, which is required by RFC 5280. (https://tools.ietf.org/html/rfc5280#section-4.1.2.5.1)

    SEQUENCE {
      UTCTime { "0001010000Z" }
      UTCTime { "3001010000Z" }
    }

Thank you for the responses.

OS is Windows 7 SP1 64-bit
Chrome is version 61.0.3163.100 (64-bit)

The certs were generated using openssl 1.0.2k. I can check whether I can add the seconds field easily and confirm if this corrects the issue.

re: Comment 4. I can confirm that adding the seconds field corrects the issue. 

I guess our certs have been wrong for many years -- but still worked on all of our tested browsers. I'm not sure if this is the same issue as the OP. I guess we'll find out if the certificate is posted.

Thanks again.

system: Windows 10 Pro , ver. 10.0.13493 kompilation 14393

cer file (nol3starter.cer) is in attachment

Thanks !

Deleted: nol3starter.cer 915 bytes

nol3starter.cer 915 bytes Download

re #7: I don't get any errors on that cert. Can you capture a netlog demonstrating the error? That should allow us to see if it's actually that cert which is causing the problem. (https://sites.google.com/a/chromium.org/dev/for-testers/providing-network-details)

chrome-net-export-log.json file in attachment

Deleted: chrome-net-export-log.json 5.1 MB

chrome-net-export-log.json 5.1 MB View Download

Do we object to a CA certificate that doesn't have a critical basicConstraints?

cablint	ERROR	basicConstraints must be critical in CA certificates
cablint	ERROR	CA certificates must include keyUsage extension
cablint	ERROR	CA:TRUE without keyCertSign
cablint	WARNING	CA certificates should not include subject alternative names
zlint	ERROR	basicConstraints MUST appear as a critical extension
zlint	ERROR	CAs MUST include a Subject Key Identifier in all CA certificates
zlint	ERROR	Root and Subordinate CA certificate keyUsage extension MUST be present
zlint	ERROR	Root CA certificates MUST have Key Usage Extension Present
zlint	WARNING	Effective September 30, 2016, CAs SHALL generate non‐sequential Certificate serial numbers greater than zero (0) containing at least 64 bits of output from a CSPRNG.
zlint	WARNING	The domain SHOULD NOT have a bare public suffix

re #9: thanks! In that log, the server is sending a different cert chain than the one attached to comment #7. (I attached it here for reference.)  The first cert in the chain is marked as version 1, but has extensions, which are only allowed in version 3 certificates.

Deleted: 769771.wss-localhost.serverchain.pem 13.3 KB

769771.wss-localhost.serverchain.pem 13.3 KB Download

thanks a lot ! my mistake, i didnt notice certificate for websocket server, version was wrong and I change it to v.3 , it works great ! 

@as per comment #12, closing this issue , as it works fine. Please feel free to raise a new issue , if any issues faced in latest chrome channels.

Thanks!

 Issue 797203  has been merged into this issue.