Chrome Subject Alternate Name missing workaround

I've got a load of SSL certificates for my domain that are signed by Domain Controller. A few weeks ago this "bug" appeared, requiring all certifcates to have a SAN.

The workaround for this, while I figure out how to generate how to generate certificates for my Linux boxes "properly", is to set a registry value in a GPO.

Steps for workaround:

  • Create/edit a new GPO
  • Go to "computer configuration" -> "preferences" -> "windows settings" -> "registry" and add a new registry entry (screenshots below)
  • Set the following options:
    • Action: create
    • Hive to "HKEY_LOCAL_MACHINE"
    • Key path to "Software\Policies\Google\Chrome"
    • Value name to "EnableCommonNameFallbackForLocalAnchors"
    • Value type to "REG_DWORD"
    • Value data: "00000001"
  • Open a command prompt as an admin, do a group policy update "gpupdate /force"
  • Verify that the key has been set in same command prompt "REG QUERY HKLM\SOFTWARE\Policies\Google\Chrome /v EnableCommonNameFallbackForLocalAnchors"

Registry entry in GPO Group policy update

How long this workaround will work for is anyones guess, but it'll help solve a problem for the short term.