User Profile

This post is a bit old now but since MacOS 10.15 is rolling out as GA now, I figured I'd reply here in case anyone else runs into this problem.In addition to the deprecation of SHA-1, a less obvious requirement in the Apple support doc (https://support.apple.com/en-us/HT210176) is "TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID."If you are generating self-signed certs which do not include that extension, Chrome will report "NET::ERR_CERT_INVALID" instead of "NET::ERR_CERT_AUTHORITY_INVALID". You can clickthrough to ignore the latter, but not the former.With a recent openssl (e.g. 1.1.1) you can generate a working self-signed cert with:openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem \ -addext extendedKeyUsage=serverAuth -addext subjectAltName=DNS:localhostOf course replace "localhost" with whatever SAN(s) (hostnames) you want in the certificate. As of right now it looks like you can skip the "subjectAltName" extension, but "extendedKeyUsage=serverAuth" is definitely required.The "-addext" flag is not available on the MacOS version of OpenSSL, but you can get a newer version with homebrew if you want to test locally on your mac before messing with your ESX infra.