Hot!Chrome Update 58 Breaks FortiAuthenticator CA Certs

Author
theFWdude
New Member
  • Total Posts : 15
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/04 08:53:22
  • Status: offline
2017/04/27 15:09:49 (permalink)
0

Chrome Update 58 Breaks FortiAuthenticator CA Certs

I'm currently leveraging my FAC as a "stand alone" CA server and used it to "Sgin" my Fortigate Web Admin Certificates; however last night my Chrome Browser (and assuming other users) updated and now I get the following error:

This server could not prove that it is myfirewall.mydomain.com; its security certificate is from [missing_subjectAltName]. This may be caused by a misconfiguration or an attacker intercepting your connection
Browser Info: Google Chrome Version 58.0.3029.81 (64-bit)
 
Given that my Gates are not joined to the domain, they do not have a "UPN" or email address so I don't really know how to leverage SAN certificates for them.
 
Just checking to see if anyone else is currently experiencing this issue as well.
#1
theFWdude
New Member
  • Total Posts : 15
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/04 08:53:22
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/04/27 15:12:41 (permalink)
0
I'm guessing this is talking about the FAC's (root) Local CA Cert .. in that case I need to re-create the local CA cert and point it to the FAC UPN since it's joined to the domain?  
#2
emnoc
Expert Member
  • Total Posts : 4144
  • Scores: 231
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/04/27 20:59:53 (permalink)
0
Read your certificate back in via openssl ad see what's present
 
examples
 
openssl x509 -in  <certname> -noout -text
 
and
 
opensssl asnparse -i dump <certname>
 
 
Since your leading to UPN related what does the openssl show?
 
 

PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
#3
ted barker
Bronze Member
  • Total Posts : 31
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/26 14:43:11
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/04/27 21:44:28 (permalink)
0
Chrome 58 requires SAN.

There is a temp workaround (for 1 year), but you have to re-create the certificates.

https://communities.ca.com/thread/241776307


This is from a rddit forum entry:



This update just made my day a nightmare. So much certificates to regenerate, and openssl doesn't have a nice way to specify SAN, had to generate configuration files by script... Any reason to request a SAN field in certificate?

EDIT: just found out it's related to RFC 2818 from year 2000. The identity check on CN seems deprecated to a dNSName in SAN extension.

https://www.reddit.com/r/...ted_warning_for_certs/
post edited by ted barker - 2017/04/27 21:53:51
#4
Ahslan
New Member
  • Total Posts : 15
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/07/29 07:24:51
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/05/12 06:37:59 (permalink)
0
Damn! Was just wondering why I was getting cert warning when accessing all of my fortinet appliances :(
The weird thing on top of that was when I try logging into something after the cert warning, I get an error. The error differs from the device I'm trying to access (fortigates indicate that they are unable to connect to the server and fortimanager\fortianalyzer indicate that I do not have permissions to the device). Was a little freaked out by this but then noticed that I was able to log in with no issues if I access the web gui via the IP of the device rather than it's FQDN.....weird
#5
ergotherego
Silver Member
  • Total Posts : 68
  • Scores: 4
  • Reward points: 0
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/05/12 09:19:57 (permalink)
0
The issue here appears to be that FAC does not support creating certificates using a SAN type of DNS, only URL. Not via the GUI or via CSRs generated manually by OpenSSL.
 
I created a CSR manually following the instructions below and FAC totally ignored my SAN details.
 
http://apetec.com/support/GenerateSAN-CSR.htm
 
Can someone from FortiNet confirm this is the issue, and if/when you can release patch fix for this please?
#6
theFWdude
New Member
  • Total Posts : 15
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/04 08:53:22
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/05/17 05:25:12 (permalink)
0
We, we've pretty much established that SAN cert creation on the FAC is broken, correct?  FTNT, any recommendations on this issue?  
#7
gsarica
Bronze Member
  • Total Posts : 57
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/07/28 13:23:52
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/05/17 06:32:29 (permalink)
0
I was able to create a new cert today with a valid SAN field. You're using the proper syntax? Needs to be entered like DNS:XXXXXX or IP:X.X.X.X
 
Edit: Sorry just noticed you were referring to FAC, I was able to generate the new cert on a FGT.
post edited by gsarica - 2017/05/17 06:35:31
#8
tanr
Gold Member
  • Total Posts : 244
  • Scores: 8
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/05/17 07:56:50 (permalink)
0
Has anybody created a support ticket on this?
#9
theFWdude
New Member
  • Total Posts : 15
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/04 08:53:22
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/05/17 07:57:49 (permalink)
0
I have one open with FortiTAC.
#10
theFWdude
New Member
  • Total Posts : 15
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/04 08:53:22
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/05/18 16:40:28 (permalink)
0
Updated my case awaiting to hear back.  Even when the Gate submits the CSR with a "Subject Alternative Name" the .cert is actually missing the SAN portion of the cert.
#11
theFWdude
New Member
  • Total Posts : 15
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/04 08:53:22
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/05/22 06:44:05 (permalink)
0
Anyone else been able to get this working?  I seem to to be getting nowhere with support.
#12
Bromont_FTNT
Platinum Member
  • Total Posts : 546
  • Scores: 41
  • Reward points: 0
  • Joined: 2012/11/19 07:22:36
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/05/22 06:56:17 (permalink)
0
Looks like this (SAN) will be added to v5, still at least a few weeks away from release.
#13
theFWdude
New Member
  • Total Posts : 15
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/04 08:53:22
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/06/03 10:40:18 (permalink)
0
So.. crickets so far..  a "Few Weeks" isn't really a great response for my boss.  Got any dates or any confirmed road map plans?  Seriously.. I'm relying on the FAC to provide me trusted certificates and my current Inspection Profiles and are broken.. 
#14
emnoc
Expert Member
  • Total Posts : 4144
  • Scores: 231
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/06/05 04:50:48 (permalink)
0
When  the SANs  issues finally  get resolve will someone verify how many altNames it can sign  5 ,10 , 25 or more.? I've seen weird things where  within  CSR that where crafted  & with  altname and after so many the signer will ignore the rest of the altNames.
 
 
 
e.g  classic openssl  CNF the last 2 ALtName would be dropped.
 
[v3_req]
basicConstraints = CA:FALSE
keyUsage = keyEncipherment, dataEncipherment, Digital Signature, Non Repudiation
subjectAltName = @alt_names
extendedKeyUsage = serverAuth,clientAuth
 
[alt_names]
DNS.1 = potatoe1.example.com
DNS.2 = potatoe2.example.com
DNS.3 = potatoe3.example.com
DNS.4 = potatoe4.example.com
DNS.5 = potatoe5.example.com
DNS.6 = potatoe6.example.com
DNS.7 = potatoe7.example.com
 
 
So the FTNT should list what the max AltNames value.
 
 
And lastly, If the FortiAuthenticator has the means to export the rootCAkey  , can  you just manually use  openssl to sign the altName  CSRs as a work-around till the appliance os is fixed?  Maybe the cli has the means to extract the  rootCAkey and with the rootCAcertfile you can do the signing as a temporal fix.
 
Just an ideal don't know what all a authenticator can or can not do.
;)
 
 
Ken
 

PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
#15
theFWdude
New Member
  • Total Posts : 15
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/04 08:53:22
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/06/05 05:31:51 (permalink)
0
Ken,
Quick question.. other than experience do you have any good recommended reads on PKI?  I seriously need a "101" when it comes to PKI administration.. No so much the "math" side of the house, but more of the implementation and administration of it.  FAC guide has only provides vague information.   Thanks in advance!
#16
emnoc
Expert Member
  • Total Posts : 4144
  • Scores: 231
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/06/05 07:01:25 (permalink)
0
If your talking about the FAC, read the doc. I 've only used it like twice and have not kept up on what it all can do on the PKI side.
 
if your talking about  good read for PKI, rad openssl manpages or youtube and google searches. I have a few PKI  post tip/tricks using openssl going back 5+  years on various blogs and forums. Openssl is the king in finding out alot on what you can and can do with PKI.
 
We have private inhouse CAs that seems to treat various attributes or AltNames  differently but I'm sure if you craft a CSR with AltNames read it back in  via openssl
 
e.g
 
openssl req -in  <csrname.file> -noout -text  and review the ALtName  field.
 
Then if you can extract the FAC priv-key and export the certificate, you should be able to sign the said  csrname.file with those two items.
 
e.g
 
openssl x509 -req  -days 366 -in <csr_with_altnams.csr>  -CA FACroot.crt -CAkey FACCA.key -oout namedgeneratecertificate.crt


 
 
 
 
 

PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
#17
Jump to:
© 2017 APG vNext Commercial Version 5.5