HPE Community
HPE Storage Networking - Switches
1758350 Members
2389 Online
108868 Solutions
New Discussion

Re: SANNAV certificate + SANs

 
SOLVED
Go to solution
ToreUthus
Advisor

‎10-20-2023 02:32 AM - last edited on ‎11-06-2023 09:06 PM by

‎10-20-2023 02:32 AM - last edited on ‎11-06-2023 09:06 PM by

SANNAV certificate + SANs

Hi.

Has anyone managed to find out how to create a certificate with av SAN?

The chrome browser always complains about that.

Do we actually need to edit the openssl.conf to get this working?

0 Kudos
Reply
7 REPLIES 7
NimaG
HPE Pro

‎10-24-2023 03:16 AM

‎10-24-2023 03:16 AM

Re: SANNAV certificate + SANs

Hello ToreUthus,

The procedure to generate certificates is available at:

https://techdocs.broadcom.com/us/en/fibre-channel-networking/sannav/management-portal/2-2-x/v23724104/v24282502.html

Please let us know if this helps.

Thanks

I am an HPE employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Accept or Kudo
0 Kudos
Reply
ToreUthus
Advisor

‎10-24-2023 09:15 AM - edited ‎10-24-2023 09:16 AM

‎10-24-2023 09:15 AM - edited ‎10-24-2023 09:16 AM

Re: SANNAV certificate + SANs

Hi.

I dont have a problem creating the basic certficate.

But the procesure does not create a certificate with a Certficate Subject Alternative Name.

An Chrome browsers always  complain about not haveing a SAN.

So it should be enabled by default in a .conf file 

 

Chrome SAN issue.png

0 Kudos
Reply
NimaG
HPE Pro

‎10-26-2023 08:01 AM

‎10-26-2023 08:01 AM

Re: SANNAV certificate + SANs

Hello ToreUthus,

The message "NET::ERR_CERT_COMMON_NAME_INVALID" generally indicates that the certificate is not correctly installed. It is not specific to SANnav.

Try the following:
- Re-install the certificate and check
- Verify the certificate details
- Clear the browser cache and SSL state
- Try with Edge or Firefox as they are also supported browsers

Regards

I am an HPE employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Accept or Kudo
0 Kudos
Reply
ToreUthus
Advisor

‎10-26-2023 10:01 AM - last edited on ‎11-02-2023 04:30 AM by

‎10-26-2023 10:01 AM - last edited on ‎11-02-2023 04:30 AM by

Re: SANNAV certificate + SANs

@NimaG Hi again.

If you look at the bootom error message it clearly states:

"....it's Security certificate does not specify Subject Alternative Names

Chrome requires SSL Certificates to list the site name(s) in the subject alternative name (SAN) to be trusted. Usage of common name only is not seen as secure enough, and will result in a certificate validation error in Chrome.

This has been like since Chrome version 58.: https://developer.chrome.com/blog/chrome-58-deprecations/
"The compatibility risk for removing commonName is low. RFC 2818 has deprecated this for nearly two decades, and the baseline requirements (which all publicly trusted certificate authorities must abide by) has required the presence of a subjectAltName since 2012."

Internet Explorer works fine, but all Chrome browsers complain.

That's why Brocade should, by default, have the ssl configure file prepard to make the certificate with a SAN by default.

If I could just create a certficate with a SAN with a private key (as I normaly do on a windows server) and import that would also be great.
But the only optioin on SANnav is to create a CSR, use that to create a certifikate and import i back in.

0 Kudos
Reply
NimaG
HPE Pro

‎11-03-2023 04:52 AM

‎11-03-2023 04:52 AM

Re: SANNAV certificate + SANs

Hello ToreUthus,

 

Yes, the option to specify Subject Alternative Name is available when generating the CSR:

https://techdocs.broadcom.com/us/en/fibre-channel-networking/sannav/management-portal-installation-and-migration/2-3-x/v25174220/changing-ssl-certificates.html

Example:
Country Name (2 letter code, eg, US):US
State or Province Name (full name, eg, California):California
Locality Name (eg, city name):San Jose
Organization Name (eg, company name):*******
Common Name (Fully qualified Domain Name, or IP address):**.**.**.**
Email Address:abc@xyz.com
Subject Alternative Name, DNS (Fully Qualified Domain Name, or IP address):*******.com
Subject Alternative Name, DNS (Fully Qualified Domain Name, or IP address):<enter>
Subject Alternative Name, IPAddress (IP v4 or v6 address): 10.1.1.3
Subject Alternative Name, IPAddress (IP v4 or v6 address): <enter>

Generating CSR, file name is: 10.1.1.3.csr

 

Thanks

I am an HPE employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Accept or Kudo
0 Kudos
Reply
ToreUthus
Advisor

‎02-06-2024 06:47 AM

‎02-06-2024 06:47 AM

Solution

Re: SANNAV certificate + SANs

Figured it out.

Just created certificate as normal and not created a .csr from the SANnav. 
Case closed

0 Kudos
Reply
Sunitha_Mod
Moderator

‎02-06-2024 10:01 PM

‎02-06-2024 10:01 PM

Re: SANNAV certificate + SANs

Hello @ToreUthus,

That's excellent! 

We are extremely glad to know you were able to figure it out and we appreciate you for keeping us posted. 

Thanks,
Sunitha G
I'm an HPE employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.