Begin forwarded message: From: Paolo Tedesco <Paolo.Tedesco@cern.ch<mailto:Paolo.Tedesco@cern.ch>> Date: May 19, 2017 at 4:24:30 AM CDT To: "dg-eur-ca@services.cnrs.fr<mailto:dg-eur-ca@services.cnrs.fr>" <dg-eur-ca@services.cnrs.fr<mailto:dg-eur-ca@services.cnrs.fr>> Cc: Emmanuel Ormancey <Emmanuel.Ormancey@cern.ch<mailto:Emmanuel.Ormancey@cern.ch>>, Thomas Baron <Thomas.Baron@cern.ch<mailto:Thomas.Baron@cern.ch>>, Daniel Fernandez Rodriguez <daniel.fernandez@cern.ch<mailto:daniel.fernandez@cern.ch>> Subject: Change in Subject Alternative Names policy for host certificates issued by the CERN CA Reply-To: Paolo Tedesco <Paolo.Tedesco@cern.ch<mailto:Paolo.Tedesco@cern.ch>> Dear all, As you probably know, recently Google Chrome has stopped supporting the common name in host certificates (https://groups.google.com/a/chromium.org/forum/#!msg/security-dev/IGT2fLJrAe...) and now expects the certificate to contain a DNS Subject Alternative Name. After this change, we have started receiving support cases for the CERN Certification Authority about CERN certificates being rejected by Chrome. For this reason, we would like to introduce a new requirement in our CP/CPS, stating that host certificate requets must contain a SAN in DNS format matching the host in the certificate subject. I'm attaching the updated CP/CPS document for review. The changed sections are 4.1.2 (for host certificates autoenrollment) and 4.2.1 (for user submitted requests). If I don't get any objections by Monday 5 June, I'll publish the updated CP/CPS and proceed to update the tools and the website to be compliant with the new policies. Best regards, Paolo