https://live.paloaltonetworks.com/t5/general-topics/ssl-tls-vs-chrome-missing-subjectaltname/m-p/168532#M53669 <P><SPAN>I'm trying to get rid of the warning when I open the PA GUI from Chrome. I'm getting the following warning:</SPAN></P><UL><LI><SPAN>This server could not prove that it is&nbsp;</SPAN><STRONG>192.168.10.4</STRONG><SPAN>; its security certificate is from&nbsp;</SPAN><STRONG>[missing_subjectAltName]</STRONG></LI></UL><P>First of all, IE is fine, no errors!</P><P>&nbsp;</P><P>I have generated the certificate and imported it as my trusted Root CA:<span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="cert import.JPG" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/10542i960E34C42E284354/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="cert import.JPG" alt="cert import.JPG" /></span></P><P>I have also created a certificate profile (called it GUI) under "Device -&gt; Certificate Managemenet- &gt; SSL/TLS Service Profile", which used the ceriticate above.</P><P>&nbsp;</P><P>Then I went to&nbsp;"<SPAN>Device&nbsp;</SPAN><SPAN>-&gt;&nbsp;</SPAN><SPAN>Setup -&gt;&nbsp;</SPAN><SPAN>M</SPAN><SPAN>anagemenet&nbsp;</SPAN><SPAN>-&gt; SSL/TLS Service Profile" and&nbsp;chose "GUI" (the cerifcate profile above).</SPAN></P><P>&nbsp;</P><P><SPAN>However, Google Chrome does not like it. Off course if I ignore the warning, it works no problem.</SPAN></P><P>&nbsp;</P><P><SPAN>Any ideas what I'm missing, or why google doesn't like me?!</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks!</SPAN></P><P>&nbsp;</P> Wed, 26 Jul 2017 21:28:51 GMT Hwinter 2017-07-26T21:28:51Z https://live.paloaltonetworks.com/t5/general-topics/ssl-tls-vs-chrome-missing-subjectaltname/m-p/168532#M53669 <P><SPAN>I'm trying to get rid of the warning when I open the PA GUI from Chrome. I'm getting the following warning:</SPAN></P><UL><LI><SPAN>This server could not prove that it is&nbsp;</SPAN><STRONG>192.168.10.4</STRONG><SPAN>; its security certificate is from&nbsp;</SPAN><STRONG>[missing_subjectAltName]</STRONG></LI></UL><P>First of all, IE is fine, no errors!</P><P>&nbsp;</P><P>I have generated the certificate and imported it as my trusted Root CA:<span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="cert import.JPG" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/10542i960E34C42E284354/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="cert import.JPG" alt="cert import.JPG" /></span></P><P>I have also created a certificate profile (called it GUI) under "Device -&gt; Certificate Managemenet- &gt; SSL/TLS Service Profile", which used the ceriticate above.</P><P>&nbsp;</P><P>Then I went to&nbsp;"<SPAN>Device&nbsp;</SPAN><SPAN>-&gt;&nbsp;</SPAN><SPAN>Setup -&gt;&nbsp;</SPAN><SPAN>M</SPAN><SPAN>anagemenet&nbsp;</SPAN><SPAN>-&gt; SSL/TLS Service Profile" and&nbsp;chose "GUI" (the cerifcate profile above).</SPAN></P><P>&nbsp;</P><P><SPAN>However, Google Chrome does not like it. Off course if I ignore the warning, it works no problem.</SPAN></P><P>&nbsp;</P><P><SPAN>Any ideas what I'm missing, or why google doesn't like me?!</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks!</SPAN></P><P>&nbsp;</P> Wed, 26 Jul 2017 21:28:51 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-tls-vs-chrome-missing-subjectaltname/m-p/168532#M53669 Hwinter 2017-07-26T21:28:51Z https://live.paloaltonetworks.com/t5/general-topics/ssl-tls-vs-chrome-missing-subjectaltname/m-p/168542#M53670 <P>When you generate your certificate, it needs a Subject Alternative Name field for Chrome to play nicely with it. As far as I know, Chrome is the only browser to officially deprecate the Common Name, but Safari and Opera are both based on WebKit, the guts behind Chrome, so I imagine it will be soon that they follow suit.</P><P>&nbsp;</P><P>Internet Explorer, Edge, and Firefox don't enforce this, so they'll likely be fine for a while.</P><P>&nbsp;</P><P>On the firewall, you can generate that by using the two available fields in the certificate generation section:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="cert-create.jpg" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/10543iA3ABA221A5072C7E/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="cert-create.jpg" alt="cert-create.jpg" /></span></P><P>&nbsp;</P><P>The&nbsp;<STRONG>Host Name, IP, and Alt Email</STRONG> fields are all Subject Alternative Name fields, and adding any of them is sufficient to avoid that error. I would recommend matching the CN that you created, unless you really do want to access it with a DNS name, in which case just put that DNS name in the "Host Name" field.</P><P>&nbsp;</P><P>If you're generating the cert elsewhere, you will need to figure out how to add the SAN field with that certificate provider.</P><P>&nbsp;</P><P>Best regards,</P><P>Greg Wesson</P> Wed, 26 Jul 2017 22:44:37 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-tls-vs-chrome-missing-subjectaltname/m-p/168542#M53670 gwesson 2017-07-26T22:44:37Z https://live.paloaltonetworks.com/t5/general-topics/ssl-tls-vs-chrome-missing-subjectaltname/m-p/168559#M53672 <P>Ha! That was easy! Thanks a lot. I've had this issue for months, but I just kept postponing it.&nbsp;</P><P>&nbsp;</P><P>PS: since I'm using the PA as DNS Proxy, I created a static entry for the name I created (pa.local) and&nbsp;as used that for CN and Hostname. Works like a charm!</P> Thu, 27 Jul 2017 01:29:38 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-tls-vs-chrome-missing-subjectaltname/m-p/168559#M53672 Hwinter 2017-07-27T01:29:38Z