"Connection is not private" Error When Accessing WCC HTTPS URL from Chrome

Document ID : KB000008750
Last Modified Date : 20/09/2018
Show Technical Document Details
Issue:

When attempting to access the WCC HTTPS URL from Chrome, an error is displayed saying "Your connection is not private" and "NET::ERR_CERT_COMMON_NAME_INVALID". After clicking "Advanced", the following details about the error are displayed...

Chrome_Certificate_Error.JPG

 

Cause:

The error in Chrome occurs when the certificate obtained from a trusted certificate authority and installed into the WCC keystore does not contain a subjectAlternativeName extension. Starting with Chrome 58, only the subjectAlternativeName extension, not commanName, is used to match the domain name and site certificate.

 

Resolution:

To resolve this issue, the current certificate must be replaced with a new certificate obtained from a trusted certificate authority that contains a subjectAlternativeName extension. The following are procedures that can be used to make this change on the WCC server.

Generate a Private Key and Self-Signed Certificate

Follow these steps:

  1. Run the following commands in a shell window (on UNIX) or from a command prompt (on Windows):
    • UNIX:

      $CA_WCC_INSTALL_LOCATION/jre/bin/keytool -delete -alias tomcat \

      -keystore $CA_WCC_INSTALL_LOCATION/data/config/.keystore \

      -storepass changeit

    • Windows:

      %CA_WCC_INSTALL_LOCATION%\jre\bin\keytool -delete -alias tomcat ^

      -keystore %CA_WCC_INSTALL_LOCATION%\data\config\.keystore ^

      -storepass changeit

    Note: The default name of the key is tomcat. To access the keystore, you also need the keystore password. The default password is changeit.

    The previous key is removed from the keystore.

  2. Run the following commands in a shell window (on UNIX) or from a command prompt (on Windows):
    • UNIX:

      $CA_WCC_INSTALL_LOCATION/jre/bin/keytool -genkey -alias tomcat \

      -keyalg RSA \

      -keystore $CA_WCC_INSTALL_LOCATION/data/config/.keystore \

      -storepass changeit \ 

      -keypass changeit \

      -keysize 2048 \

      -dname "cn=WCC_SERVER_NAME" \

      -ext san=dns:WCC_SERVER_NAME \

      -validity 14600

    • Windows:

      %CA_WCC_INSTALL_LOCATION%\jre\bin\keytool -genkey -alias tomcat ^

      -keyalg RSA ^

      -keystore %CA_WCC_INSTALL_LOCATION%\data\config\.keystore ^

      -storepass changeit ^ 

      -keypass changeit ^

      -keysize 2048 ^

      -dname "cn=WCC_SERVER_NAME" ^

      -ext san=dns:WCC_SERVER_NAME ^

      -validity 14600

    Notes:
    • The keysize argument lets you specify the key size. Typical values are 1024 or 2048.
    • WCC_SERVER_NAME is the name of your CA WCC server.
    • The validity argument lets you specify the certificate validity period in days.

    A new private key and self-signed certificate are generated.

 

Request a Certificate

To use a certificate from a trusted certificate authority, create a certificate request file and send it to the certificate authority. The certificate authority will send you the certificate.

Follow these steps:

  1. Run the following commands in a shell window (on UNIX) or from a command prompt (on Windows):
    • UNIX:

      $CA_WCC_INSTALL_LOCATION/jre/bin/keytool -certreq -alias tomcat \

      -keystore $CA_WCC_INSTALL_LOCATION/data/config/.keystore \

      -storepass changeit \

      -file certreq.csr

    • Windows:

      %CA_WCC_INSTALL_LOCATION%\jre\bin\keytool -certreq -alias tomcat ^

      -keystore %CA_WCC_INSTALL_LOCATION%\data\config\.keystore ^

      -storepass changeit ^

      -file certreq.csr

    A certificate request file (certreq.csr) is generated.
  2. Send the certificate request file to the certificate authority. Contact the certificate authority for specific instructions.

Note: CA WCC uses certificates in PEM or DER format. When using the PEM format, the certificate must not contain any information before the BEGIN CERTIFICATE marker or after the END CERTIFICATE marker.

 

Add the Certificates to the Keystore

Add the certificates to the keystore after you receive your private certificate.

Follow these steps:

  1. Run the following commands in a shell window (on UNIX) or from a command prompt (on Windows) to add the certificate of the root certificate authority to the keystore:
    • UNIX:

      $CA_WCC_INSTALL_LOCATION/jre/bin/keytool -importcert -alias RootCA \

      -file RootCA.cer \

      -keystore $CA_WCC_INSTALL_LOCATION/data/config/.keystore \

      -storepass changeit

    • Windows:

      %CA_WCC_INSTALL_LOCATION%\jre\bin\keytool -importcert -alias RootCA ^

      -file RootCA.cer ^

      -keystore %CA_WCC_INSTALL_LOCATION%\data\config\.keystore ^

      -storepass changeit

    The certificate of the root certificate authority is added to the keystore.
  2. (Optional) Run the following commands in a shell window (on UNIX) or from a command prompt (on Windows) to add a certificate of a subordinate authority to the keystore:
    • UNIX:

      $CA_WCC_INSTALL_LOCATION/jre/bin/keytool -importcert -alias SubCA \ 

      -file SubCA.cer \

      -keystore $CA_WCC_INSTALL_LOCATION/data/config/.keystore \

      -storepass changeit

    • Windows:

      %CA_WCC_INSTALL_LOCATION%\jre\bin\keytool -importcert -alias SubCA ^ 

      -file SubCA.cer ^

      -keystore %CA_WCC_INSTALL_LOCATION%\data\config\.keystore ^

      -storepass changeit

    The certificate of the subordinate authority is added to the keystore.
  3. Repeat Step 2 for each certificate of the subordinate authority you have downloaded.
  4. Run the following commands in a shell window (on UNIX) or from a command prompt (on Windows) to add your private certificate to the keystore:
    • UNIX:

      $CA_WCC_INSTALL_LOCATION/jre/bin/keytool  -importcert  -trustcacerts \

      -file  certificate.cer  - alias tomcat \

      -keystore $CA_WCC_INSTALL_LOCATION/data/config/.keystore \

      -storepass changeit

    • Windows

      %CA_WCC_INSTALL_LOCATION%\jre\bin\keytool  -importcert  -trustcacerts ^

      -file  certificate.cer  - alias tomcat ^

      -keystore %CA_WCC_INSTALL_LOCATION%\data\config\.keystore ^

      -storepass changeit

    The private certificate is added to the keystore.

 

Restart CA WCC Services

After you generate, obtain, or import the key and certificate, restart CA WCC services.

UNIX:

To restart CA WCC services on UNIX, run the following command in a shell window:

unisrvcntr restart CA-wcc-services

Windows:

Follow these steps:

  1. Open the Services window.
  2. Select CA-wcc-services and click the Restart button.
    The Restart Other Services dialog opens.
  3. Click Yes.
    The dialog closes and CA WCC services are restarted.

Note: After you restart CA WCC services, verify that the CA WCC servers have started before you use or perform operations with CA WCC. You display CA WCC server startup status by running the following command:

UNIX:

grep "startup in" $CA_WCC_INSTALL_LOCATION/log/*.log

Windows:

findstr /C:"startup in" 

"%CA_WCC_INSTALL_LOCATION%"\log\*.log