Rejected Client-Certificate in Chrome 61


I have an already long running website secured by self generated client-certificates. It has been working for years without any problems with any browser like IE, Firefox and Chrome.

Since the last Chrome Update (61.0.3163.100) the client certificates are rejected with following error message:

This site can’t provide a secure connection

my.domain.com didn’t accept your login certificate, or one may not have been provided.
Try contacting the system admin.
ERR_BAD_SSL_CLIENT_AUTH_CERT

And the site continues to work fine with any other browser! And i can not find any relevant information out there.

I assume that chrome just raised the minimal requirements for the client certificates, as it did for server certificates a few months ago. but i have no glue how to fix it.

Any hint what is wrong with my certificates?

many thanks

UPDATE 15DEC2017

I still had problems and did not find any answer out there.

After a while i figured out that Chrome does not like the Client Certificates generated by openssl ca.

I was generating the Certificates so:

openssl ca -config openssl.cnf -extensions client -batch -in test.req -out test.cer

I tried everything but i was not able to make it to work with Chrome, but again, it worked with all other Browsers.

Now i am generating the Certificates so:

openssl x509 -req -in test.req -CA ca.cer -CAkey ca.key -extensions client -extfile openssl.cnf -CAserial ca.srl -out test.cer -sha256 

And it works, if i compare the out of openssl x509 -in test.cer -noout -text, there is NO difference!! So i am wondering what Chrome does not like of openssl ca.

I would prefer to use openssl ca over openssl x509 since i can not use CRLs and i prefer also startdate/enddate over days.

Any ideas?


Answers:


I was generating the Certificates so:

openssl ca -config openssl.cnf -extensions client -batch -in test.req -out test.cer

I tried everything but i was not able to make it to work with Chrome, but again, it worked with all other Browsers.

Now i am generating the Certificates so:

openssl x509 -req -in test.req -CA ca.cer -CAkey ca.key -extensions client -extfile openssl.cnf -CAserial ca.srl -out test.cer -sha256 

And it works!

if i compare the out of openssl x509 -in test.cer -noout -text, there is NO difference!! So i am wondering what Chrome does not like of openssl ca.