NET::ERR_CERT_REVOKED in Chrome/Chromium, introduced with MacOS Catalina

Question

I'm testing a device which generates a new self-signed certificate after each hard reset.

Immediately after installing MacOS Catalina, recent versions of Chrome (and Brave) have started throwing an NET::ERR_CERT_REVOKED exception, even though there is definitely no published CRL for this device, and the certificates generated on reset have unique serial numbers.

The error message has the following form:

You cannot visit [address redacted] right now because its certificate has been revoked. Network errors and attacks are usually temporary, so this page will probably work later.

Clicking on the "Advanced" button does not present any way to override this error.

What's going on here? How can I work around it, without making my browser unsafe for general-purpose usage (as would be the case by telling it to ignore all certificate errors indiscriminately)?

score 46 · Answer 1 · answered Jan 14 '20 at 07:57

46

A quick workaround (ensure you trust the site)

In the chrome browser whilst on the page, type:

thisisunsafe

source https://podtech.com/os/mac-osx/chrome-catalina-certificate-issue/

answered Jan 14 '20 at 07:57

Jossef Harush Kadouri

1,161

score 35 · Accepted Answer · edited Jun 27 '21 at 18:29

Apple has introduced a series of new requirements for SSL certificates to be accepted by Catalina, documented at https://support.apple.com/en-us/HT210176. To summarize here:

Key size must be at least 2048 bits.
Hash algorithm must be SHA-2 or newer.
DNS names must be in a SubjectAltName, not in the CN field only.

Moreover, for certificates issued after 2019-07-01:

The ExtendedKeyUsage extension must be present, with the id-kp-ServerAuth OID.
The validity period may not be longer than 825 days.

...and, for certificates issued after 2020-08-01 (per HT211025):

The validity period may not be longer than 398 days

score 8 · Answer 3 · answered Oct 18 '19 at 21:21

If you need a workaround to get the site working without replacing the certificate you can do the following.

Download the certificate from the server (using another browser or with openssl)
Install the certificate into Keychain Access under the login store
Set the certificate to "always trust" by double clicking on it once it's been installed.

score 4 · Answer 4 · answered Oct 15 '19 at 20:06

4

Looks like Catalina has some new requirements on certificate signatures. Charles probably needs to update their cert generation.

https://forums.developer.apple.com/thread/119877

answered Oct 15 '19 at 20:06

Thomas Williams

49

score 1 · Answer 5 · answered Jun 27 '21 at 12:38

Additional information for certificates issued after September of 2020:

TLS server certificates issued on or after September 1, 2020 00:00 GMT/UTC must not have a validity period greater than 398 days

https://support.apple.com/en-us/HT211025

https://support.apple.com/en-us/HT210176

score -2 · Answer 6 · answered Feb 04 '20 at 11:18

Yes...it's correct that on MacOS Catalina Chrome and Safari give "NET::ERR_CERT_REVOKED" error on self-signed certificate, due to various reasons. But to quick start your work you can use Mozilla Firefox. I installed the Mozilla browser and it worked for me.

NET::ERR_CERT_REVOKED in Chrome/Chromium, introduced with MacOS Catalina

6 Answers6

Linked