NET::ERR_CERT_REVOKED Error In Chrome After Catalina Upgrade

If you upgraded to macOS Catalina (10.15) and use Chrome, you might be seeing this message in your web browser for websites that worked before the upgrade.

New SSL Trusted Certificate Requirements

After you upgrade to iOS 13 or macOS 10.15 (Catalina), Apple has upped its security requirements on SSL certs.

According to Apple:

Requirements for trusted certificates in iOS 13 and macOS 10.15

All TLS server certificates must comply with these new security requirements in iOS 13 and macOS 10.15:

  • TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
  • TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.
  • TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.

Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:

  • TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
  • TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).

Connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in iOS 13 and macOS 10.15.

How to Fix NET::ERR_CERT_REVOKED Error In Chrome After Catalina Upgrade

Update the Server Certificate to Meet New Standards

This one should be obvious, but sometimes getting the server owner to do such a thing might not be a quick fix.

How to “Always Trust” an SSL Certificate From a Website

  • press cmd + space
  • type terminal
  • press enter
  • cd to your home directory
    • cd ~
      				
  • Download the SSL Certificate from the remote web server and save it to a filename called ‘mycertfile.pem’ by pasting in this syntax.
    • openssl s_client -showcerts -connect remote.server.FQDN.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycertfile.pem
    • For example, if the remote server Fully Qualified Domain Name (FQDN) is funnycats.com the syntax would look like this…
      • openssl s_client -showcerts -connect funnycats.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycertfile.pem
        						
  • Open keychain access
    • press cmd + space
    • type keychain access
  • press enter
    • Click on login on the top left
    • Click on Certificates in the bottom left
  • Click the + plus sign on the top left
    • A popup window will appear and navigate to your home directory and select the mycertfile.pem
    • Click open
  • Scroll down to the certficate name, should be the fully qualified hostname of the remote server, like funnycats.com or whatever.
    • Right-Click on it and Select Get Info
    • Click the Trust Section to expand it
    • In the box that says, “When using this certificate:” Select “Always Trust” from the drop down.
  • Close the window, by clicking the red ‘x’ close button
    • A pop-up will appear asking you for your username and password to update the settings
  • Enter your username and password and click “update settings”
  • You are all set!

About Daniel Fredrick

Technology enthusiast, Programmer, Network Engineer CCIE# 17094

View all posts by Daniel Fredrick →

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.