Loading...

Knowledge Center


ERR_CERT_COMMON_NAME_INVALID (Web Gateway incompatibility with Google Chrome 58)
Technical Articles ID:   KB89196
Last Modified:  12/20/2018

Environment

McAfee Web Gateway 7.7.x, 7.6.x, 7.5.x
Google Chrome 58

Problem

Web Gateway versions 7.7.x, 7.6.x, and 7.5.x are not compatible with Google Chrome 58 and may cause the browser to fail to display pages.

For allowed sites, Web Gateway generates a certificate that closely matches the original certificate (based on what it observed with the server). When Web Gateway blocks a site, it does not have the server certificate to reference, so it generates one generically. This generically generated certificate does not include the Subject Alternative Name (subjectAlternativeName) extension.

You see the following error displayed in the browser for blocked web pages due to the missing Subject Alternative Name extension in the Web Gateway certificate:
 
ERR_CERT_COMMON_NAME_INVALID

Solution

This issue will be resolved in Web Gateway 7.6.2.12, 7.5.2.14, and 7.7.2.

NOTE: Any future product functionality or releases mentioned in the Knowledge Base are intended to outline our general product direction and should not be relied on, either as a commitment, or when making a purchasing decision.

Workaround

To work around the issue, enable the registry entry EnableCommonNameFallbackForLocalAnchors to allow certificates that are missing the Subject Alternative Name extension. This registry entry is valid until Chrome 65. For information about this registry entry, see https://www.chromium.org/administrators/policy-list-3#EnableCommonNameFallbackForLocalAnchors.

The best way perform a global rollout of this workaround is to perform a Group Policy Object (GPO) registry change.

CAUTION: This article contains information about opening or modifying the registry.
  • The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
  • Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
  • Do not run a REG file that is not confirmed to be a genuine registry import file.

Use the Group Policy Management Editor to enable the following registry entry:

Software\Policies\Google\Chrome\EnableCommonNameFallbackForLocalAnchors

The following screenshot shows what the registry entry looks like in the Group Policy Management Editor when enabled:



To confirm that the registry entry exists on a system, run the following commands from a command prompt:

gpupdate /force
REG QUERY HKLM\SOFTWARE\Policies\Google\Chrome /v EnableCommonNameFallbackForLocalAnchors

You should see the following output if the registry entry exists:



The Developer tools (press F12) in Chrome will still report the missing Subject Alternative Name extension in the certificate as shown in the following screenshot; however, the blocked pages are shown normally.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.