Macos – NET::ERR_CERT_REVOKED in Chrome/Chromium, introduced with MacOS Catalina

chromiumgoogle-chromemacos catalinassl

I'm testing a device which generates a new self-signed certificate after each hard reset.

Immediately after installing MacOS Catalina, recent versions of Chrome (and Brave) have started throwing an NET::ERR_CERT_REVOKED exception, even though there is definitely no published CRL for this device, and the certificates generated on reset have unique serial numbers.

The error message has the following form:

You cannot visit [address redacted] right now because its certificate has been revoked. Network errors and attacks are usually temporary, so this page will probably work later.

Clicking on the "Advanced" button does not present any way to override this error.

What's going on here? How can I work around it, without making my browser unsafe for general-purpose usage (as would be the case by telling it to ignore all certificate errors indiscriminately)?

Best Answer

Apple has introduced a series of new requirements for SSL certificates to be accepted by Catalina, documented at https://support.apple.com/en-us/HT210176. To summarize here:

  • Key size must be at least 2048 bits.
  • Hash algorithm must be SHA-2 or newer.
  • DNS names must be in a SubjectAltName, not in the CN field only.

Moreover, for certificates issued after 2019-07-01:

  • The ExtendedKeyUsage extension must be present, with the id-kp-ServerAuth OID.
  • The validity period may not be longer than 825 days.
Related Question