Questions & Answers

What are the new requirements for certificates in Chrome?

Chrome now throws NET::ERR_CERT_INVALID for some certificates that are supported by other browsers.

The only clue I can find is in this list of questions about the new Chrome Root Store that is also blocking enterprise CA installations.

In particular,

The Chrome Certificate Verifier will apply standard processing to include checking:

  • the certificate's key usage and extended key usage are consistent with TLS use-cases.
  • the certificate validity period is not in the past or future.
  • key sizes and algorithms are of known and acceptable quality.
  • whether mismatched or unknown signature algorithms are included.
  • that the certificate does not chain to or through a blocked CA.
  • conformance with RFC 5280.

I verified my certificates work as expected in Edge.

Further, I verified the certificate is version "3", has a 2048-bit key, and has the extended key usage for server authentication.

I still don't understand which "standard" this certificate is expected to conform to when the browser only says "invalid". Is there a simple template or policy I can use?

Answers(1) :

Chrome now rejects TLS certificates containing a variable known as pathLenConstraint or sometimes displayed as Path Length Constraint.

I was using certificates issued by Microsoft Active Directory Certificate Services. The Basic Constraints extension was enabled, and the AD CS incorrectly injects the Path length Constraint=0 for end entity, non-CA certificates in this configuration.

The solution is to issue certificates without Basic Constraints. Chrome is equally happy with Basic Constraints on or off, so long as the path length variable is not present.

One of the better resources for troubleshooting was this Certificate Linter:

It found several errors in the server certificate, including the path length set to zero.

I also found a thread discussing a variety of Certificate Authorities that would issue certificates the same way, so it is a fairly common issue.

Another good resource was the smallstep open source project that I installed as an alternative CA. After generating a generic certificate, the invalid cert error went away and I realized there was something going on between the Microsoft and Google programs.