The issue is not with the CA you imported into the MWG. It has to do with the certificate that MWG generates (on-the-fly) when you visit an SSL site.
For allowed sites, MWG is generating a certificate that closely matches the original certificate (based on what it observed with the server). When MWG is blocking a site, it does not have the server certificate to reference, so it generates one generically. This generically generated cert does not include the altName extension. Dev is working on a fix for MWG to include the altNames, for the time being it might be best to rollout the GPO for the registry change until the patch is created.
The registry workaround is listed here:
It entails modifying this registry (valid until Chrome 65):
I tested the registry entry in my lab domain and it works. Here is what the Registry entry looked like in GPO Editor:
To validate the key existed on my workstation, I ran:
REG QUERY HKLM\SOFTWARE\Policies\Google\Chrome /v EnableCommonNameFallbackForLocalAnchors
This returns something like this:
Under the hood, Chrome still doesnt like that its missing the cert (in the F12 tools), but I was able to get the block page normally:
Let me know if that helps.
Thank you for the prompt reply! I'll try this out. I did however notice that I got the failure for pages that aren't supposed to be blocked. Example, Marketing dept access Facebook or IT dept accessing YouTube. Both of those resulted in ERR_CERT_COMMON_NAME_INVALID error. So it's a bit weird.
This worked for me on a single test device. I'll have to work with the AD admins on getting this into group policy. Keep us posted and thanks again.
I'd be interested in a rule trace and a connection trace of examples where you unexpectedly get the warning (dont post it here, it'd be good to have a SR open).
If you have a case open say Jon might be interested in these things...
We have this error alos on sites which does not generate a blocking page. (unfortunatly www.google.de)
for OS X type in a terminal:
defaults write com.google.Chrome EnableCommonNameFallbackForLocalAnchors -bool true
Any news on the hotfix for this issue?
Will it be available for 7.6 and 7.7 or just 7.7?
Hi Vincent, it will be for both.
22.214.171.124 and 126.96.36.199 are now out which contain fixes for this issue.