When setting up secure Intranets, it is often necessary to configure the servers with SSL certificates that have not been issued by a trusted certification authority.

While browsers such as Firefox allow you to add an exception, even permanently, to the site in question, opening that website in Chrome will produce an error notice each time: (NET::ERR_CERT_AUTHORITY_INVALID)

Chrome does not save forms information for websites having an unsafe HTTPS connection, so you are unable to save usernames and passwords for the site when this condition exists.

To resolve this problem, you need to create a self-sgned certificate, export the SSL certificate to a shared folder, and install it as a trusted certificate on each PC that needs access to the website.

The same is true if you have a Synology NAS on the Intranet, along with a quirk in the way the Synology creates default self-signed certificates, and a recent change to Chrome / Chromium browsers.

First the Chrome issue at: https://support.google.com/chrome/a/answer/9813310

Error: “Subject Alternative Name Missing” or NET::ERR_CERT_COMMON_NAME_INVALID or “Your connection is not private”

Known issue

During Transport Layer Security (TLS) connections, Chrome browser checks to make sure the connection to the site is using a valid, trusted server certificate.

For Chrome 58 and later, only the subjectAlternativeName extension, not commonName, is used to match the domain name and site certificate. The certificate subject alternative name can be a domain name or IP address. If the certificate doesn’t have the correct subjectAlternativeName extension, users get a NET::ERR_CERT_COMMON_NAME_INVALID error letting them know that the connection isn’t private. If the certificate is missing a subjectAlternativeName extension, users see a warning in the Security panel in Chrome DevTools that lets them know the subject alternative name is missing.

Unfortunately, Synology default self-signed certs are created without the SAN extension so Chrome will not recognize them. Therefore you need to create a new self-signed Synology cert, set it as the default for the NAS, and then export it. Synology has complete instructions in the Help file but they are fairly terse.

The first dialog creates a root certificate or Certificate Authority (CA) cert. This cert will be exported as syno-ca-cert.pem. The second dialog will create the site certificate itself. In the second dialog, the Common Name field is ignored by Chrome, used by Firefox, and is required for creating the cert, so set it to the FQDN of the Synology. The Subject Alternative Name field must match the URL you use in Chrome, so you probably want to specify the Synology IP address here and the FQDN of the Synology, so you use something like https://www.myIntranet.local or in your web browser.

Once you have the certs created, right click the certificate in the Synology Certiticate manager to export it to your shared folder.

Once you create the Synology certs and export them to a shared folder, you need to import them into your browser(s).

The Linux versions of Firefox & Chrome use an internal store for certificates to prevent man-in-the-middle attacks, but the Windows versions use the Windows Certificate store. Linux Firefox can be configured to use the Linux System Certificate store using about:config and the security.enterprise_roots.enabled key, but that bypasses the attack protection. Importing the certificate from either browser will use an API to connect you to the correct store which simplifies things so that is what I will document here.

The only certificate you need to import is syno-ca-cert.pem and you need to import it to the Authorities section in Chrome or Firefox.

For Chrome, go to Settings | Advanced | Privacy and security | Manage Certificates | Authorities and click the Import button:

Chrome Settings

For Firefox, go to Preferences | Privacy & Security | Certificates | View Certificates | Authorities and click the Import button:

Firefox Preferences

Leave a Reply

Your email address will not be published. Required fields are marked *