Here is what’s changing in Chrome 58:
In Chrome 58 checking of the Common Name will no longer happen, and if you don’t have all your DNS names in your SANs, you will run into issues.
The Common Name in an SSL certificate is the DNS name the certificate was issued to. A certificate for (https://)yourdomain.com is usually issued with a CN of yourdomain.com. However, you most likely have a need for SSL (TLS really) to secure mail.yourdomain.com, remote.yourdomain.com, etc. So how does that work? Do you get a cert for each of those?
You don’t. Interesting enough, Netscape engineers didn’t think this through when initially implementing SSL Certificate support, so a ‘workaround’ was invented to deal with this. SAN, or subject alternative name filed, was used to add additional DNS names to your certificate. Most certs securing Exchange or Lync are multi SAN—this saves on cost and makes management easier.
Currently, unless you’re still using your Palm Treo, most SSL implementations work like this: Check the cert for SANs and then check the CN—just in case your Certificate Authority screwed up and ‘forgot’ to add CN as a SAN. This never happens with Public CA, but let’s not forget that a lot of our enterprises rely on Internal CAs run by sysadmins within your organization. The reason I bring this up is if you have an internal CA and you’re using SSL Cert ‘templates’ that are custom, you may have an issue. If you are NOT using custom templates when issuing certificates, most likely you are going to be fine. Online certificate authorities fixed this years ago, which is why all your public certificates always have the DNS name included as a SAN, even if it’s just a single domain certificate. In any case this only affects Chrome—at least for now.
JacobR, PEI
