11

Chrome requires SSL Certificates to list the site name(s) in the subject alternative name (SAN) to be trusted. Usage of common name only is not seen as secure enough, and will result in a certificate validation error in Chrome.

We are in the proces of updating our certificates, but need to know the urgency. We do not support Chrome for a lot of corporate / internal sites (yet).

Is it known when / how other browsers will implement this security restriction? Will IE / Edge / Firefox / Safari follow this improvement?

Improve this question
9
  • 5
    "Usage of common name only is not seen as secure enough." - It is not a security issue but simply that use of CN was declared obsolete for ages. Commented Nov 1, 2017 at 10:49
  • You using a private PKI? Public ones have used the SAN for ages. Commented Nov 1, 2017 at 10:54
  • Yes, private PKI. We are in the process of updating the internally used procedures, practices, etc.. Commented Nov 1, 2017 at 10:56
  • 1
    Related: Thread for Chrome: 2017-01-28, Chromium security-dev forum, Ryan Sleevi, Intent to Remove: Support for commonName matching in certificates (Related Firefox/Mozilla Bug 1245280 is linked to from there.) Commented Nov 1, 2017 at 14:10
  • 1
    I'm voting to close this question as off-topic because only the internal dev teams of these products can speak to their development roadmaps. Commented Nov 2, 2017 at 14:42

1 Answer 1

Reset to default
10

IE probably never

IE is a dead product, it'll probably stay doing what it's currently doing unless there's some major security issue forcing Microsoft to issue a special security update to disable CN validation.

Firefox already there

Firefox already no longer recognize CN for new certificates signed by public PKIs, (deadline was anything issued on/after 2016-08-23) but still allow fallback to CN for non-built in CAs. Since Firefox is an open source product, for items like these, removing CN support likely will require a volunteer that actually goes forward to provide a patch to implement the removal, and such patch likely will only get merged if retaining any CN support is preventing some other major improvements to Firefox or the web/PKI infrastructure as a whole. There's really no big hurry for this removal, as keeping it around doesn't seem to prevent anyone from doing what they need to do at the moment, and the current solution of differentiating built in and imported certificate seems to satisfy Firefox's users for the moment.

Edge/Safari: unknown

Edge and Safari are a Microsoft's and Apple's products, keeping or removing support likely will depend in their respective commercial influences.

Further reading/tracking: ChromeStatus

So far, according to ChromeStatus: Support for commonName matching in Certificates, there doesn't seem to be any public communication from Microsoft and Apple for this topic.

Improve this answer
7
  • I'm looking for exact answers, not speculation. Commented Nov 1, 2017 at 14:27
  • 7
    @oɔɯǝɹ: if you would give me a working crystal ball, then I can give you exact answer. Really, the best source available is the chromestatus link above, that site keeps tracks of all the major browser vendor's responses when they're known and publicly available. Reading the Mozilla's Bugzilla issue I linked also can give you a broader idea how the issue is perceived by Firefox devs and users. Commented Nov 1, 2017 at 14:43
  • I understand that we both don't know the roadmap for IE. In that case it would be more prudent to write that (perhaps as a comment, not an answer). I'm looking for someone who does know the answer. Commented Nov 1, 2017 at 14:49
  • 8
    This answer is as good as it gets. If you have googled a bit before asking this question, and didn't find anything, you would have to have a FFox/IE/Safari developer on hand to tell you exactly. Everything else is speculation. Commented Nov 1, 2017 at 14:54
  • 1
    @oɔɯǝɹ so ... you're asking for a IE or Mozilla dev to answer? Wouldn't this be a better question for their forums? Commented Nov 2, 2017 at 8:38

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.