Since Chrome 68 certificate transparency is enforced. That's a big problem with the SSL-decryption of our corporate proxy.
The proxy's certificate is added to the system's certificate store, this worked like a charm until Chrome 68. There's a policy called CertificateTransparencyEnforcementDisabledForLegacyCas that gives one the possibility to add such a certificate and disable the enforcement for it. Unfortunately I have no clue how to generate the mentioned hash:
A subjectPublicKeyInfo hash is specified by concatenating the hash algorithm name, the "/" character, and the Base64 encoding of that hash algorithm applied to the DER-encoded subjectPublicKeyInfo of the specified certificate. This Base64 encoding is the same format as an SPKI Fingerprint, as defined in RFC 7469, Section 2.4. Unrecognized hash algorithms are ignored. The only supported hash algorithm at this time is "sha256".
Googling didn't help and I would be glad if anyone that had the same problem could help me out.
Thank you very much!
Sven
To get the base64 hash of the subjectPublicKeyInfo (SPKI), you can use openssl with the following command line incantation:
openssl x509 -pubkey -noout -in <path to PEM cert> | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
and to create the string you need for the policy:
printf 'sha256/%s\n' `openssl x509 -pubkey -noout -in <path to PEM cert> | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64`
However, if the certificate isn't publicly trusted but instead has been manually trusted, it shouldn't have the CT policy enforced. If you think you're getting an error when you shouldn't please file a bug at http://crbug.com/new