security

NET::ERR_CERT_INVALID error

Some users report that after updating their Operating System or Chrome browser to a more recent version, they have problems accessing some sites (often internal sites with self-signed certificates) and the browser shows an error of NET::ERR_CERT_INVALID.

NET::ERR_CERT_INVALID means that a certificate was itself is so malformed that it’s not accepted at all– sometimes rejected by certificate logic in the underlying operating system or sometimes rejected by additional validity checks in Chrome. Common causes include

  1. malformed serial numbers (they should be 20 digits)
  2. Certificate versions (v1 certificates must not have extensions)
  3. policy constraints
  4. SHA-1 (on OS X 10.13.3+)
  5. validity date formatting (e.g. missing the seconds field in the ASN.1, or encoding using the wrong ASN.1 types)
  6. disk corruption

Click the “NET::ERR_CERT_INVALID” text such that the certificate’s base64 PEM data appears. Copy/paste that text (up to the first –END CERTIFICATE–) into the box at https://crt.sh/lintcert and the tool will generate a list of errors that can lead to this error in Chrome.

CertLint

In most cases, the site will need to generate and install a properly-formatted certificate in order to resolve the error.

If the certificate was generated incorrectly by a locally-running proxy (e.g. antivirus) or content-filtering device, the interceptor will need to be fixed.

Finally, Windows does not have a robust self-healing feature for its local Trusted Certificates store, meaning that if an on-disk certificate gets even a single bit flipped, every certificate chain that depends on that certificate will begin to fail. The only way to fix this problem is to use CertMgr.msc to delete the corrupted root or intermediate certificate. In a default configuration, Windows will subsequently automatically reinstall the correct certificate from WindowsUpdate.

-Eric

Standard

3 thoughts on “NET::ERR_CERT_INVALID error

  1. Larry says:

    Which Chrome platforms support ‘click NET::ERR_ tag’ to show the cert PEM blocks.
    I know it works on Windows and Chromebooks.
    How about Linux, Mac, Android, Pixel?

    Like

    • You can show the certificate info by clicking on the error code in all of the platforms you mentioned. (I don’t think it works on iOS.)

      Like

  2. Larry R Seward says:

    Eric: I’m helping a Chrome Forum user here with a CERT_INVALID error
    https://productforums.google.com/forum/#!topic/chrome/lHCmT3mTu-8

    She is having a problem with the intermediate DigiCert CA cert. When viewed from the Chrome cert manager the thumbprint is correct (7e2f3a4f8*), but in the PEM blocks, and after export it is wrong (0d0d153*). Site (ssa.gov) and root certs are valid. This is not a site issue.

    Webroot antivirus has been disabled.

    The thread is long, best to start at the bottom and work back.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s