Creating a certificate for Google Chrome

Document ID : KB000015811
Last Modified Date : 14/02/2018
Show Technical Document Details

Creating a compatible certificate for Google Chrome.


How do you create a certificate that is support by Google Chrome?



CA Top Secret doesnt document the certificate requirements of Google Chrome.

Chrome frequently changes their certificate requirements. They dont notify 3rd party vendors of their certificate requirements or give advanced notice of the changes.

It is Chromes responsibility to document their requirements.

At the beginning of they year Chrome stopped supporting SHA 1 certificates. So, certificates that were once working perfectly fine may no longer work.

Here is an article I found with more proposed changes this year:

I wouldnt be surprised if there were more changes and the end of the year.

Yes we have client's running Chrome and z/OSMF. Firefox and Chrome are the most widely use browsers.

The following articles document some of Chromes SSL requirements for the root:

Updated to the latest Chrome which is release 60 before running the following test.

Did some testing with the following commands:

1. Created the root SHA2 and 2048 keysize.

tss gencert(certauth) digicert(root2048) subjectn('CN="root2048"') keysize(2048)

tss list(certauth) digicert(root2048)

2. Created the client SHA2 and 2048 keysize.

tss gencert(usera) digicert(sha22048) subjectn('CN="sha22048"') keysize(2048) signwith(certauth,root2048)

tss list(usera) digicert(sha22048)

3. Exported the root and the client

tss export(usera) digicert(sha22048) pkcspass(sha22048) format(pkcs12der) dcdsn('usera.cert.sha22048')

tss export(certauth) digicert(root2048) pkcspass(root2048) format(pkcs12der) dcdsn('usera.cert.root2048')

4. Verified the cert datasets.
tss chkcert pkcspass(root2048) dcdsn('usera.cert.root2048')

tss chkcert pkcspass(sha22048) dcdsn('usera.cert.sha22048')

5. Added the certs to Chrome.

There were no errors or message from Chrome after they were imported.

Level 2 recommends using an external root like Godaddy and GeoTrust if you will have external client from the internet trying to connect.

If you will only have internal connections, then an internal root created by CA Top Secret would be fine.