Chrome/Catalina Certificate Issue



If you are having issues trying to reach a self signed website, router or esxi host, with an error:  NET::ERR_CERT_REVOKED . You will notice you cannot ignore and proceed in the new Mac OSX Catalina release!


A quick solution (ensure you trust the site)

  • In the chrome browser whilst on the page, type “thisisunsafe”

 

This will whitelist the site and ignore the cert.

Another option is to use Firefox Developer, where you can also proceed and ignore.

 

The cause is:

Apple has introduced a series of new requirements for SSL certificates to be accepted by Catalina, documented at https://support.apple.com/en-us/HT210176. To summarize here:

  • Key size must be at least 2048 bits.
  • Hash algorithm must be SHA-2 or newer.
  • DNS names must be in a SubjectAltName, not in the CN field only.


For certificates issued after 2019-07-01:

  • The ExtendedKeyUsage extension must be present, with the id-kp-ServerAuth OID.
  • The validity period may not be longer than 825 days.