Re: [Fed-Talk] Chrome 105 and Long validity certs rejected
Re: [Fed-Talk] Chrome 105 and Long validity certs rejected
- Subject: Re: [Fed-Talk] Chrome 105 and Long validity certs rejected
- From: Ken Hornstein via Fed-talk <email@hidden>
- Date: Mon, 12 Sep 2022 16:41:47 -0400
>Any ideas for now? Trusting the CA certificate in keychain access isn’t
>enough, despite the claim in some chromium discussions that the restriction
>is only applied to public CAs, not private ones.
There _are_ some rather esoteric command-line options you can use to say
with Chrome, "Trust this certificate", and that's what I have people in
our group do (I think they have to access the same web sites you have to
access). The frustrating thing for _me_ is that the DOD NPE portal that
you normally use to get DoD certificates forces you to 398 day lifetime,
and if you want longer ones you have to use an alternate interface and
do extra work. Which means that either their certificates are old, or
they are doing that extra work!
The details are ...
There's a flag to Chrome called "--ignore-certificate-errors-spki-list".
So you need to give it a list of SPKI hashes for the web sites in question,
separated by commas. How do you get the SPKI hash? Weeelll ... it's a bit
of a pain. Here's what I do (there may be a simpler way):
- Find out the web site certificate with the command:
openssl s_client -connect web.server:443
(Along with a bunch of stuff, it will print the web server certificate).
Capture the certificate in a file (let's call it "foo.pem").
- Run the following command:
openssl x509 -pubkey -noout < /tmp/foo.pem | openssl pkey -pubin -outform der
| openssl dgst -sha256 -binary | base64
You should get a base64 string, 40-odd characters. Add that to the
above command line option. So it becomes:
--ignore-certificate-errors-spki-list=hashstring1,hashstring2,etccetera
And you run Chrome with that, from a Terminal window or create a
desktop command script to do it for you.
If this is the web site I am thinking about you'll probably have to do this
several times as there are a couple of servers involved in the authentication
process. Why these people just don't transition to something like Let's
Encrypt certificates (like a lot of other public-facing DoD web sites)
is beyond me.
--Ken
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden