4

I just used our internal Windows-CA to create a certificate for our internal server "hdl-diamant".

When calling the website using "https://hdl-diamant", I do get "ERR_CERT_COMMON_NAME_INVALID" in Edge (Chromium), Chrome and Firefox.

But in IE 11, the certificate is accepted just fine.

What is going wrong here?

The following certificate is delivered by the webserver (you can decode it here)

-----BEGIN CERTIFICATE-----
MIIF2TCCBMGgAwIBAgITSgAAACvsEpZoQcz3YwAAAAAAKzANBgkqhkiG9w0BAQsF
ADBBMRIwEAYKCZImiZPyLGQBGRYCZGUxGjAYBgoJkiaJk/IsZAEZFgpnb20tYmVy
bGluMQ8wDQYDVQQDEwZIREwtQ0EwHhcNMjAwODIxMTIwMDAwWhcNMjIwODIxMTIw
MDAwWjCBgDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMG
QmVybGluMSwwKgYDVQQKDCNGUsOWQkVMIEJpbGR1bmcgdW5kIEVyemllaHVuZyBn
R21iSDELMAkGA1UECxMCSVQxFDASBgNVBAMTC2hkbC1kaWFtYW50MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoilKAQZum2Jv+XfYDY4e2+uC+OTK4cF5
nGYuwjUUFfK+UKqHv5VrRxLZeLnch0kOZppVzpU47KwjdtU/jI/BqvVuYyrmW8yp
y2iYm6DevCi08hiDLiSis/sZ/9n6rdqEB2ZmgdIOoNtgL8qk5chxP6ljtJwFTdO2
ksg2oGNAg1UdPqdwVrqUhxI7Y3Gq6MsbajJ23pO4EHQTqMBWhzv1Ja2vtdJhSRrS
vMIWCq8nn9sQe5vyTqZMGoWtNHgOlSr4C4BN3AcbtkrB57CKWwZK2xLeneAMj5hM
ZPbkJaHONGKw6nIjeSoyowA9ZnpZeeTx4oBO3Cn+cpxH2/jWVaj/dQIDAQABo4IC
iDCCAoQwCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMHgGCSqGSIb3
DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglghkgB
ZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUwBwYF
Kw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFLSI88muthGWCDpMgD/NkrpijhqP
MB8GA1UdIwQYMBaAFJ5MjQtUxt6n9+UUrT2gdUvhP7OjMIHFBgNVHR8Egb0wgbow
gbeggbSggbGGga5sZGFwOi8vL0NOPUhETC1DQSxDTj1IREwtREMsQ049Q0RQLENO
PVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3Vy
YXRpb24sREM9Z29tLWJlcmxpbixEQz1kZT9jZXJ0aWZpY2F0ZVJldm9jYXRpb25M
aXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgboGCCsG
AQUFBwEBBIGtMIGqMIGnBggrBgEFBQcwAoaBmmxkYXA6Ly8vQ049SERMLUNBLENO
PUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1D
b25maWd1cmF0aW9uLERDPWdvbS1iZXJsaW4sREM9ZGU/Y0FDZXJ0aWZpY2F0ZT9i
YXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwIQYJKwYBBAGC
NxQCBBQeEgBXAGUAYgBTAGUAcgB2AGUAcjANBgkqhkiG9w0BAQsFAAOCAQEACI23
mwPAtIDArRBW2sMDDFamsAs3XJh+dnzXTX4MvD/WQRh0zrN8l4sHLiNVI/r9662n
dohB80e62zM/fGIOTXZ9arCWRf+KggBiaRJKehSEBArw8fHadspUjOCtJReAnMkj
SkisgQTc3zDsx4/tQtd1o+uwGovsd7FFRsIWUOpmUdt8TJpgtWuklnA7UHYRVy/Y
Iry4bfN9qR0Bw/aWXmHPrakgzv471jkaQVlN/cHUMrLQPppw0aV1vxTKgl/h7jHv
X0WgrNL5Iz2Lq2I0194ymQh4ZftkNK9GSTAOYryxXi/9Jq4IL7mTQk561F0buyWk
8c0MTPrn6ZKkyQo3RQ==
-----END CERTIFICATE-----

1 Answer 1

4

Your certificate is missing the Subject Alternate Name (SAN) entries.

Modern browsers require that the SAN is present, even if it it only contains the common name. Recreate your certificate with a SAN for hdl-diamant.

While you're at it you could also add the FQDN of the host, in the case you need it later you don't have to recreate the certificate again.

1
  • Thank you very much! In case it helps anybody else: When creating a certifice-request using Windows-certificate-management, you need to add an entry of type "DNS" in the lower part.
    – Andreas
    Commented Aug 21, 2020 at 12:46

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .