2017-08-08 16:03 GMT+03:00 Mark Thomas <ma...@apache.org>: > On 08/08/17 13:59, George Stanchev wrote: > > <snip/> > >> Is it possible the recent changes [1] has affected it? Chrome no longer >> looks in CN, which is ignored but rather expects SAN to be filled up. >> Perhaps Tomcat's test certs lack SAN? >> >> [1] https://www.thesslstore.com/blog/security-changes-in-chrome-58/ > > That did affect the server cert and we fixed that a little while ago. I > don't believe it applies to user certs. The new user cert doesn't have a > SAN and it is now working correctly in Chrome.
Interesting. It means that for a simple self-signed cert the instructions [1] have to be updated. Looking at docs [2], there are examples of using '-ext' switch to set a SAN keytool -alias ca -gencert -ext san=dns:ca1 Also -genkey switch was renamed to -genkeypair. [1] tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html [2] https://docs.oracle.com/javase/8/docs/technotes/tools/windows/keytool.html Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org