When a certiifcate request is generated by SMG, it doesn't allow for a FQDN in the Subject Alternative Name.
When a certificate is used by an internal CA it is not trusted by Chrome version 58 or higher.
The work around is to make Chrome ignore this security feature, meaning Chrome is less secure that it could be.
In Chrome 58 if you get the error NET::ERR_CERT_COMMON_NAME_INVALID you need to update and re-issue your certificates (eg. for the Symantec Messaging Gateway) using a resolveable Fully Qualified Domain Name (FDQN) in the certificate Subject Alternative Name (SAN).
Suggest SMG be updated to create certificate signing method correctly.