Adding a certificate exception in Google Chrome?

Posted on 2014-09-26
Last Modified: 2014-10-14
My server application currently has a self-signed certificate and because I must use Google Chrome, I am trying to find a way to add a certificate exception. Recent Chrome 'improvements' appear to have removed this ability.

In Firefox, opening a page with a certificate error is easy to correct (of course, when it is safe to do so) with two steps:
1) Click I Understand the Risks
2) Click Add Exception

Done! The ssl error will no longer appear for this IP.

Question: What are the equivalent steps in Google Chrome?

When opening a page with a certificate error in Chrome, you see the message, "Your connection is not private...Attackers might be trying to steal your information..."

Then you must click, Advanced, see another ominous warning and then click on Proceed to (unsafe) to continue to the intended web page.

This warning is repeated every time I need to access my web server. Very annoying!

I have even attempted (in vain) to add the certificate into Chrome's cert listing. For example:
1. Click on certificate icon in address bar
2. Certificate information
3. Details tab
4. Copy to file
5. Select Base-64  encoded .cer
6. Save file
7, From Chrome Advanced settings  Manage SSL, import it to Trusted RCA

Unfortunately, even those steps (and variations) failed to stop this error!

Ideally, I just want to add in an exception!

1) Getting a proper cert is not an option, at this time.
2) I need to use Chrome (even if FF will immediately solve this issue :))
3) I can't use the CLI and add --ignore-certificate-errors because I don't want to blanket ignore all cert errors.

Anyone know how to add a ssl exception in Chrome?

Thanks so much!
Question by:sconnell
  • 3
  • 3
LVL 31

Expert Comment

Comment Utility
The problem most likely is a mismatch of the common name on the certificate with the hostname you are using to access your webserver.

even if you import the certificate into the Trusted Root Certificate Authorities store on your system all other aspects of the SSL certificate presented by your webserver must be valid or you're going to get warnings. This is because a self-signed certificate is STILL an SSL certificate, and it still goes through all the usual rigor of SSL, including testing that the common name matches, testing the expiry date, testing that the cert has not been revoked, and testing that the certificate is trusted.

Importing it into your Trusted Root Certificate Authority list just tells your computer to trust the certificate. All the rest of the tests still have to pass.

Go back into Certificate Information, go to the Details tab, select the "Subject" record, and check what it says under "CN = xxxxxx", that's the common name of the certificate and that's the hostname you must use to connect to the webserver.

If the certificate's common name was set to something sensible like the short hostname of your webserver, you can edit your computer's hosts file or configure a local DNS server so the name resolves properly to your webserver's IP address.

But if the SSL cert's common name is something unusable, like "localhost", or an IP Address, or something else invalid because it was auto-generated by your server when you installed Apache... you will have to recreate and import a new SSL certificate on your webserver.

Author Comment

Comment Utility
Hello Frosty555,

Thanks for your reply.

The CN value is "sensible" = testserver01

>edit your computer's hosts file or configure a local DNS server so the name resolves properly

Okay, that isn't a lot of work but I would much rather simply make an exception (like I can with Firefox). Is this at all possible in Chrome?

I don't want to have to do this throughout the testing phase... it is quite possible that I'll need to do this a 100 times as IP and certs change through the alpha and beta stages. That will be very frustrating and time wasting.

Regardless, I really appreciate your answer as it is a 'correct' answer, even if it isn't what I wanted. :)
LVL 31

Expert Comment

Comment Utility
Adding exceptions defeats the purpose of SSL, which is why Browsers make it intentionally cumbersome and difficult to do so.

Really, unless you are re-creating your entire webserver over and over again, there's no reason why the SSL certificate should need to change.  If the IP address changes on your webserver, that's no problem, just update your hosts file with the new IP address, there's no need to touch the SSL certificate. Even if you are re-creating the whole webserver or spinning up new ones for testing purpose, just keep the original private keys for your SSL cert and re-use them instead of generating new ones.

For testing purposes in volatile environments, the easiest and really the only way to make an exception for a website is to just click the "Advanced->Proceed to" link in Chrome. That will cause Chrome to temporarily exclude that particular website from SSL cert checks for the remainder of the session, which could easily last all day if you're continuously developing and testing.

Or, use the --ignore-certificate-errors command line flag and have that particular instance of Chrome completely disable SSL warnings. You can create a separate shortcut for "Chrome without SSL warnings" on your desktop that you only use for development and testing purposes.

Or, last option, is do the majority of your development using unencrypted HTTP connections instead of HTTPS, and just test periodically to make sure HTTPS works. A well developed web application ought to not make any assumptions about the protocol encryption and work either way anyways.

As soon as your server starts being used in a "production" environment - regardless of whether production just means YOU are using it, or you have actual customers using it, the server should have proper SSL certs. Those certs can be self-signed or signed by a CA that you yourself control rather than buying a cert from a third party CA, but they still should be valid.
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.


Author Comment

Comment Utility
Hello Frosty555,

>Adding exceptions defeats the purpose of SSL, which is why Browsers make it intentionally cumbersome and
>difficult to do so.

But it is easy to add an exception in Firefox. Ultimately, I was looking for a similar method to do the same in Chrome. Shall I assume there is no way to create an exception in Chrome?

In my original q, I mentioned that I did not want to use the command line exception because that is a blanket exception.

The point of this EE q was to simply discover if Chrome offered a way to create a single SSL exception. I am guessing it isn't possible.

LVL 31

Accepted Solution

Frosty555 earned 500 total points
Comment Utility
No chrome does not have that particular feature

Author Closing Comment

Comment Utility
Really annoying but there is no simple solution like Firefox offers (via add exception button).

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This Micro Tutorial will demonstrate MozBar viewing metadata, such as description, page title, markup.
This Micro Tutorial will demonstrate how MozBar finds back links of any website you visit, as well as page, social shares to the page, and domain level metrics. There will me practical applications for this data.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now