NET::ERR_CERT_REVOKED in Chrome/Chromium, introduced with MacOS Catalina

Posted on

Problem :

I’m testing a device which generates a new self-signed certificate after each hard reset.

Immediately after installing MacOS Catalina, recent versions of Chrome (and Brave) have started throwing an NET::ERR_CERT_REVOKED exception, even though there is definitely no published CRL for this device, and the certificates generated on reset have unique serial numbers.

The error message has the following form:

You cannot visit [address redacted] right now because its certificate has been revoked. Network errors and attacks are usually temporary, so this page will probably work later.

Clicking on the “Advanced” button does not present any way to override this error.

What’s going on here? How can I work around it, without making my browser unsafe for general-purpose usage (as would be the case by telling it to ignore all certificate errors indiscriminately)?

Solution :

Apple has introduced a series of new requirements for SSL certificates to be accepted by Catalina, documented at https://support.apple.com/en-us/HT210176. To summarize here:

  • Key size must be at least 2048 bits.
  • Hash algorithm must be SHA-2 or newer.
  • DNS names must be in a SubjectAltName, not in the CN field only.

Moreover, for certificates issued after 2019-07-01:

  • The ExtendedKeyUsage extension must be present, with the id-kp-ServerAuth OID.
  • The validity period may not be longer than 825 days.

…and, for certificates issued after 2020-08-01 (per HT211025):

  • The validity period may not be longer than 398 days

A quick workaround (ensure you trust the site)

In the chrome browser whilst on the page, type:

thisisunsafe

If you need a workaround to get the site working without replacing the certificate you can do the following.

  1. Download the certificate from the server (using another browser or with openssl)
  2. Install the certificate into Keychain Access under the login store
  3. Set the certificate to “always trust” by double clicking on it once it’s been installed.

Looks like Catalina has some new requirements on certificate signatures. Charles probably needs to update their cert generation.

https://forums.developer.apple.com/thread/119877

Leave a Reply

Your email address will not be published. Required fields are marked *