Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
theFWdude
New Contributor

Chrome Update 58 Breaks FortiAuthenticator CA Certs

I'm currently leveraging my FAC as a "stand alone" CA server and used it to "Sgin" my Fortigate Web Admin Certificates; however last night my Chrome Browser (and assuming other users) updated and now I get the following error:

This server could not prove that it is myfirewall.mydomain.com; its security certificate is from [missing_subjectAltName]. This may be caused by a misconfiguration or an attacker intercepting your connection

Browser Info: Google Chrome Version 58.0.3029.81 (64-bit)

 

Given that my Gates are not joined to the domain, they do not have a "UPN" or email address so I don't really know how to leverage SAN certificates for them.

 

Just checking to see if anyone else is currently experiencing this issue as well.

-TFWD

-TFWD
16 REPLIES 16
theFWdude
New Contributor

I'm guessing this is talking about the FAC's (root) Local CA Cert .. in that case I need to re-create the local CA cert and point it to the FAC UPN since it's joined to the domain?  

-TFWD

-TFWD
emnoc
Esteemed Contributor III

Read your certificate back in via openssl ad see what's present

 

examples

 

openssl x509 -in  <certname> -noout -text

 

and

 

opensssl asnparse -i dump <certname>

 

 

Since your leading to UPN related what does the openssl show?

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ted_barker

Chrome 58 requires SAN. There is a temp workaround (for 1 year), but you have to re-create the certificates. [link]https://communities.ca.com/thread/241776307[/link] This is from a rddit forum entry: This update just made my day a nightmare. So much certificates to regenerate, and openssl doesn't have a nice way to specify SAN, had to generate configuration files by script... Any reason to request a SAN field in certificate? EDIT: just found out it's related to RFC 2818 from year 2000. The identity check on CN seems deprecated to a dNSName in SAN extension. https://www.reddit.com/r/...ted_warning_for_certs/
Ahslan
New Contributor III

Damn! Was just wondering why I was getting cert warning when accessing all of my fortinet appliances :(

The weird thing on top of that was when I try logging into something after the cert warning, I get an error. The error differs from the device I'm trying to access (fortigates indicate that they are unable to connect to the server and fortimanager\fortianalyzer indicate that I do not have permissions to the device). Was a little freaked out by this but then noticed that I was able to log in with no issues if I access the web gui via the IP of the device rather than it's FQDN.....weird

ergotherego
Contributor II

The issue here appears to be that FAC does not support creating certificates using a SAN type of DNS, only URL. Not via the GUI or via CSRs generated manually by OpenSSL.

 

I created a CSR manually following the instructions below and FAC totally ignored my SAN details.

 

http://apetec.com/support/GenerateSAN-CSR.htm

 

Can someone from FortiNet confirm this is the issue, and if/when you can release patch fix for this please?

theFWdude

We, we've pretty much established that SAN cert creation on the FAC is broken, correct?  FTNT, any recommendations on this issue?  

-TFWD

-TFWD
gsarica

I was able to create a new cert today with a valid SAN field. You're using the proper syntax? Needs to be entered like DNS:XXXXXX or IP:X.X.X.X

 

Edit: Sorry just noticed you were referring to FAC, I was able to generate the new cert on a FGT.

tanr
Valued Contributor II

Has anybody created a support ticket on this?

theFWdude
New Contributor

I have one open with FortiTAC.

-TFWD

-TFWD
Labels
Top Kudoed Authors