Adding a certificate exception in Google Chrome?
My server application currently has a self-signed certificate and because I must use Google Chrome, I am trying to find a way to add a certificate exception. Recent Chrome 'improvements' appear to have removed this ability.
In Firefox, opening a page with a certificate error is easy to correct (of course, when it is safe to do so) with two steps:
1) Click I Understand the Risks
2) Click Add Exception
Done! The ssl error will no longer appear for this IP.
Question: What are the equivalent steps in Google Chrome?
When opening a page with a certificate error in Chrome, you see the message, "Your connection is not private...Attackers might be trying to steal your information..."
Then you must click, Advanced, see another ominous warning and then click on Proceed to xxx.xxx.xxx.xxx (unsafe) to continue to the intended web page.
This warning is repeated every time I need to access my web server. Very annoying!
I have even attempted (in vain) to add the certificate into Chrome's cert listing. For example:
1. Click on certificate icon in address bar
2. Certificate information
3. Details tab
4. Copy to file
5. Select Base-64 encoded .cer
6. Save file
7, From Chrome Advanced settings Manage SSL, import it to Trusted RCA
Unfortunately, even those steps (and variations) failed to stop this error!
Ideally, I just want to add in an exception!
NOTES:
1) Getting a proper cert is not an option, at this time.
2) I need to use Chrome (even if FF will immediately solve this issue :))
3) I can't use the CLI and add --ignore-certificate-error
Anyone know how to add a ssl exception in Chrome?
Thanks so much!
In Firefox, opening a page with a certificate error is easy to correct (of course, when it is safe to do so) with two steps:
1) Click I Understand the Risks
2) Click Add Exception
Done! The ssl error will no longer appear for this IP.
Question: What are the equivalent steps in Google Chrome?
When opening a page with a certificate error in Chrome, you see the message, "Your connection is not private...Attackers might be trying to steal your information..."
Then you must click, Advanced, see another ominous warning and then click on Proceed to xxx.xxx.xxx.xxx (unsafe) to continue to the intended web page.
This warning is repeated every time I need to access my web server. Very annoying!
I have even attempted (in vain) to add the certificate into Chrome's cert listing. For example:
1. Click on certificate icon in address bar
2. Certificate information
3. Details tab
4. Copy to file
5. Select Base-64 encoded .cer
6. Save file
7, From Chrome Advanced settings Manage SSL, import it to Trusted RCA
Unfortunately, even those steps (and variations) failed to stop this error!
Ideally, I just want to add in an exception!
NOTES:
1) Getting a proper cert is not an option, at this time.
2) I need to use Chrome (even if FF will immediately solve this issue :))
3) I can't use the CLI and add --ignore-certificate-error
Anyone know how to add a ssl exception in Chrome?
Thanks so much!
ASKER
Hello Frosty555,
Thanks for your reply.
The CN value is "sensible" = testserver01
>edit your computer's hosts file or configure a local DNS server so the name resolves properly
Okay, that isn't a lot of work but I would much rather simply make an exception (like I can with Firefox). Is this at all possible in Chrome?
I don't want to have to do this throughout the testing phase... it is quite possible that I'll need to do this a 100 times as IP and certs change through the alpha and beta stages. That will be very frustrating and time wasting.
Regardless, I really appreciate your answer as it is a 'correct' answer, even if it isn't what I wanted. :)
Thanks for your reply.
The CN value is "sensible" = testserver01
>edit your computer's hosts file or configure a local DNS server so the name resolves properly
Okay, that isn't a lot of work but I would much rather simply make an exception (like I can with Firefox). Is this at all possible in Chrome?
I don't want to have to do this throughout the testing phase... it is quite possible that I'll need to do this a 100 times as IP and certs change through the alpha and beta stages. That will be very frustrating and time wasting.
Regardless, I really appreciate your answer as it is a 'correct' answer, even if it isn't what I wanted. :)
Adding exceptions defeats the purpose of SSL, which is why Browsers make it intentionally cumbersome and difficult to do so.
Really, unless you are re-creating your entire webserver over and over again, there's no reason why the SSL certificate should need to change. If the IP address changes on your webserver, that's no problem, just update your hosts file with the new IP address, there's no need to touch the SSL certificate. Even if you are re-creating the whole webserver or spinning up new ones for testing purpose, just keep the original private keys for your SSL cert and re-use them instead of generating new ones.
For testing purposes in volatile environments, the easiest and really the only way to make an exception for a website is to just click the "Advanced->Proceed to xxx.xxx.xxx.xxx" link in Chrome. That will cause Chrome to temporarily exclude that particular website from SSL cert checks for the remainder of the session, which could easily last all day if you're continuously developing and testing.
Or, use the --ignore-certificate-error
Or, last option, is do the majority of your development using unencrypted HTTP connections instead of HTTPS, and just test periodically to make sure HTTPS works. A well developed web application ought to not make any assumptions about the protocol encryption and work either way anyways.
As soon as your server starts being used in a "production" environment - regardless of whether production just means YOU are using it, or you have actual customers using it, the server should have proper SSL certs. Those certs can be self-signed or signed by a CA that you yourself control rather than buying a cert from a third party CA, but they still should be valid.
Really, unless you are re-creating your entire webserver over and over again, there's no reason why the SSL certificate should need to change. If the IP address changes on your webserver, that's no problem, just update your hosts file with the new IP address, there's no need to touch the SSL certificate. Even if you are re-creating the whole webserver or spinning up new ones for testing purpose, just keep the original private keys for your SSL cert and re-use them instead of generating new ones.
For testing purposes in volatile environments, the easiest and really the only way to make an exception for a website is to just click the "Advanced->Proceed to xxx.xxx.xxx.xxx" link in Chrome. That will cause Chrome to temporarily exclude that particular website from SSL cert checks for the remainder of the session, which could easily last all day if you're continuously developing and testing.
Or, use the --ignore-certificate-error
Or, last option, is do the majority of your development using unencrypted HTTP connections instead of HTTPS, and just test periodically to make sure HTTPS works. A well developed web application ought to not make any assumptions about the protocol encryption and work either way anyways.
As soon as your server starts being used in a "production" environment - regardless of whether production just means YOU are using it, or you have actual customers using it, the server should have proper SSL certs. Those certs can be self-signed or signed by a CA that you yourself control rather than buying a cert from a third party CA, but they still should be valid.
ASKER
Hello Frosty555,
>Adding exceptions defeats the purpose of SSL, which is why Browsers make it intentionally cumbersome and
>difficult to do so.
But it is easy to add an exception in Firefox. Ultimately, I was looking for a similar method to do the same in Chrome. Shall I assume there is no way to create an exception in Chrome?
In my original q, I mentioned that I did not want to use the command line exception because that is a blanket exception.
The point of this EE q was to simply discover if Chrome offered a way to create a single SSL exception. I am guessing it isn't possible.
Thanks
>Adding exceptions defeats the purpose of SSL, which is why Browsers make it intentionally cumbersome and
>difficult to do so.
But it is easy to add an exception in Firefox. Ultimately, I was looking for a similar method to do the same in Chrome. Shall I assume there is no way to create an exception in Chrome?
In my original q, I mentioned that I did not want to use the command line exception because that is a blanket exception.
The point of this EE q was to simply discover if Chrome offered a way to create a single SSL exception. I am guessing it isn't possible.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Really annoying but there is no simple solution like Firefox offers (via add exception button).
Thanks
Thanks
even if you import the certificate into the Trusted Root Certificate Authorities store on your system all other aspects of the SSL certificate presented by your webserver must be valid or you're going to get warnings. This is because a self-signed certificate is STILL an SSL certificate, and it still goes through all the usual rigor of SSL, including testing that the common name matches, testing the expiry date, testing that the cert has not been revoked, and testing that the certificate is trusted.
Importing it into your Trusted Root Certificate Authority list just tells your computer to trust the certificate. All the rest of the tests still have to pass.
Go back into Certificate Information, go to the Details tab, select the "Subject" record, and check what it says under "CN = xxxxxx", that's the common name of the certificate and that's the hostname you must use to connect to the webserver.
If the certificate's common name was set to something sensible like the short hostname of your webserver, you can edit your computer's hosts file or configure a local DNS server so the name resolves properly to your webserver's IP address.
But if the SSL cert's common name is something unusable, like "localhost", or an IP Address, or something else invalid because it was auto-generated by your server when you installed Apache... you will have to recreate and import a new SSL certificate on your webserver.