Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Adding a certificate exception in Google Chrome?

Posted on 2014-09-26
Medium Priority
Last Modified: 2014-10-14
My server application currently has a self-signed certificate and because I must use Google Chrome, I am trying to find a way to add a certificate exception. Recent Chrome 'improvements' appear to have removed this ability.

In Firefox, opening a page with a certificate error is easy to correct (of course, when it is safe to do so) with two steps:
1) Click I Understand the Risks
2) Click Add Exception

Done! The ssl error will no longer appear for this IP.

Question: What are the equivalent steps in Google Chrome?

When opening a page with a certificate error in Chrome, you see the message, "Your connection is not private...Attackers might be trying to steal your information..."

Then you must click, Advanced, see another ominous warning and then click on Proceed to (unsafe) to continue to the intended web page.

This warning is repeated every time I need to access my web server. Very annoying!

I have even attempted (in vain) to add the certificate into Chrome's cert listing. For example:
1. Click on certificate icon in address bar
2. Certificate information
3. Details tab
4. Copy to file
5. Select Base-64  encoded .cer
6. Save file
7, From Chrome Advanced settings  Manage SSL, import it to Trusted RCA

Unfortunately, even those steps (and variations) failed to stop this error!

Ideally, I just want to add in an exception!

1) Getting a proper cert is not an option, at this time.
2) I need to use Chrome (even if FF will immediately solve this issue :))
3) I can't use the CLI and add --ignore-certificate-errors because I don't want to blanket ignore all cert errors.

Anyone know how to add a ssl exception in Chrome?

Thanks so much!
Question by:Shawn Connelly
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 31

Expert Comment

ID: 40346729
The problem most likely is a mismatch of the common name on the certificate with the hostname you are using to access your webserver.

even if you import the certificate into the Trusted Root Certificate Authorities store on your system all other aspects of the SSL certificate presented by your webserver must be valid or you're going to get warnings. This is because a self-signed certificate is STILL an SSL certificate, and it still goes through all the usual rigor of SSL, including testing that the common name matches, testing the expiry date, testing that the cert has not been revoked, and testing that the certificate is trusted.

Importing it into your Trusted Root Certificate Authority list just tells your computer to trust the certificate. All the rest of the tests still have to pass.

Go back into Certificate Information, go to the Details tab, select the "Subject" record, and check what it says under "CN = xxxxxx", that's the common name of the certificate and that's the hostname you must use to connect to the webserver.

If the certificate's common name was set to something sensible like the short hostname of your webserver, you can edit your computer's hosts file or configure a local DNS server so the name resolves properly to your webserver's IP address.

But if the SSL cert's common name is something unusable, like "localhost", or an IP Address, or something else invalid because it was auto-generated by your server when you installed Apache... you will have to recreate and import a new SSL certificate on your webserver.

Author Comment

by:Shawn Connelly
ID: 40346750
Hello Frosty555,

Thanks for your reply.

The CN value is "sensible" = testserver01

>edit your computer's hosts file or configure a local DNS server so the name resolves properly

Okay, that isn't a lot of work but I would much rather simply make an exception (like I can with Firefox). Is this at all possible in Chrome?

I don't want to have to do this throughout the testing phase... it is quite possible that I'll need to do this a 100 times as IP and certs change through the alpha and beta stages. That will be very frustrating and time wasting.

Regardless, I really appreciate your answer as it is a 'correct' answer, even if it isn't what I wanted. :)
LVL 31

Expert Comment

ID: 40346853
Adding exceptions defeats the purpose of SSL, which is why Browsers make it intentionally cumbersome and difficult to do so.

Really, unless you are re-creating your entire webserver over and over again, there's no reason why the SSL certificate should need to change.  If the IP address changes on your webserver, that's no problem, just update your hosts file with the new IP address, there's no need to touch the SSL certificate. Even if you are re-creating the whole webserver or spinning up new ones for testing purpose, just keep the original private keys for your SSL cert and re-use them instead of generating new ones.

For testing purposes in volatile environments, the easiest and really the only way to make an exception for a website is to just click the "Advanced->Proceed to" link in Chrome. That will cause Chrome to temporarily exclude that particular website from SSL cert checks for the remainder of the session, which could easily last all day if you're continuously developing and testing.

Or, use the --ignore-certificate-errors command line flag and have that particular instance of Chrome completely disable SSL warnings. You can create a separate shortcut for "Chrome without SSL warnings" on your desktop that you only use for development and testing purposes.

Or, last option, is do the majority of your development using unencrypted HTTP connections instead of HTTPS, and just test periodically to make sure HTTPS works. A well developed web application ought to not make any assumptions about the protocol encryption and work either way anyways.

As soon as your server starts being used in a "production" environment - regardless of whether production just means YOU are using it, or you have actual customers using it, the server should have proper SSL certs. Those certs can be self-signed or signed by a CA that you yourself control rather than buying a cert from a third party CA, but they still should be valid.

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Author Comment

by:Shawn Connelly
ID: 40346895
Hello Frosty555,

>Adding exceptions defeats the purpose of SSL, which is why Browsers make it intentionally cumbersome and
>difficult to do so.

But it is easy to add an exception in Firefox. Ultimately, I was looking for a similar method to do the same in Chrome. Shall I assume there is no way to create an exception in Chrome?

In my original q, I mentioned that I did not want to use the command line exception because that is a blanket exception.

The point of this EE q was to simply discover if Chrome offered a way to create a single SSL exception. I am guessing it isn't possible.

LVL 31

Accepted Solution

Frosty555 earned 2000 total points
ID: 40347141
No chrome does not have that particular feature

Author Closing Comment

by:Shawn Connelly
ID: 40380524
Really annoying but there is no simple solution like Firefox offers (via add exception button).

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine a situation that you have installed SSL ( Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
This Micro Tutorial will demonstrate Chrome and Firefox's extension MozBar, which allows you to easily highlight followed, no followed, internal, and external links on a page. It is also used to highlight keywords on a page to for adequate optimized…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question