Adding a certificate exception in Google Chrome?

My server application currently has a self-signed certificate and because I must use Google Chrome, I am trying to find a way to add a certificate exception. Recent Chrome 'improvements' appear to have removed this ability.

In Firefox, opening a page with a certificate error is easy to correct (of course, when it is safe to do so) with two steps:
1) Click I Understand the Risks
2) Click Add Exception

Done! The ssl error will no longer appear for this IP.

Question: What are the equivalent steps in Google Chrome?

When opening a page with a certificate error in Chrome, you see the message, "Your connection is not private...Attackers might be trying to steal your information..."

Then you must click, Advanced, see another ominous warning and then click on Proceed to (unsafe) to continue to the intended web page.

This warning is repeated every time I need to access my web server. Very annoying!

I have even attempted (in vain) to add the certificate into Chrome's cert listing. For example:
1. Click on certificate icon in address bar
2. Certificate information
3. Details tab
4. Copy to file
5. Select Base-64  encoded .cer
6. Save file
7, From Chrome Advanced settings  Manage SSL, import it to Trusted RCA

Unfortunately, even those steps (and variations) failed to stop this error!

Ideally, I just want to add in an exception!

1) Getting a proper cert is not an option, at this time.
2) I need to use Chrome (even if FF will immediately solve this issue :))
3) I can't use the CLI and add --ignore-certificate-errors because I don't want to blanket ignore all cert errors.

Anyone know how to add a ssl exception in Chrome?

Thanks so much!
S ConnellyTechnical WriterAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The problem most likely is a mismatch of the common name on the certificate with the hostname you are using to access your webserver.

even if you import the certificate into the Trusted Root Certificate Authorities store on your system all other aspects of the SSL certificate presented by your webserver must be valid or you're going to get warnings. This is because a self-signed certificate is STILL an SSL certificate, and it still goes through all the usual rigor of SSL, including testing that the common name matches, testing the expiry date, testing that the cert has not been revoked, and testing that the certificate is trusted.

Importing it into your Trusted Root Certificate Authority list just tells your computer to trust the certificate. All the rest of the tests still have to pass.

Go back into Certificate Information, go to the Details tab, select the "Subject" record, and check what it says under "CN = xxxxxx", that's the common name of the certificate and that's the hostname you must use to connect to the webserver.

If the certificate's common name was set to something sensible like the short hostname of your webserver, you can edit your computer's hosts file or configure a local DNS server so the name resolves properly to your webserver's IP address.

But if the SSL cert's common name is something unusable, like "localhost", or an IP Address, or something else invalid because it was auto-generated by your server when you installed Apache... you will have to recreate and import a new SSL certificate on your webserver.
S ConnellyTechnical WriterAuthor Commented:
Hello Frosty555,

Thanks for your reply.

The CN value is "sensible" = testserver01

>edit your computer's hosts file or configure a local DNS server so the name resolves properly

Okay, that isn't a lot of work but I would much rather simply make an exception (like I can with Firefox). Is this at all possible in Chrome?

I don't want to have to do this throughout the testing phase... it is quite possible that I'll need to do this a 100 times as IP and certs change through the alpha and beta stages. That will be very frustrating and time wasting.

Regardless, I really appreciate your answer as it is a 'correct' answer, even if it isn't what I wanted. :)
Adding exceptions defeats the purpose of SSL, which is why Browsers make it intentionally cumbersome and difficult to do so.

Really, unless you are re-creating your entire webserver over and over again, there's no reason why the SSL certificate should need to change.  If the IP address changes on your webserver, that's no problem, just update your hosts file with the new IP address, there's no need to touch the SSL certificate. Even if you are re-creating the whole webserver or spinning up new ones for testing purpose, just keep the original private keys for your SSL cert and re-use them instead of generating new ones.

For testing purposes in volatile environments, the easiest and really the only way to make an exception for a website is to just click the "Advanced->Proceed to" link in Chrome. That will cause Chrome to temporarily exclude that particular website from SSL cert checks for the remainder of the session, which could easily last all day if you're continuously developing and testing.

Or, use the --ignore-certificate-errors command line flag and have that particular instance of Chrome completely disable SSL warnings. You can create a separate shortcut for "Chrome without SSL warnings" on your desktop that you only use for development and testing purposes.

Or, last option, is do the majority of your development using unencrypted HTTP connections instead of HTTPS, and just test periodically to make sure HTTPS works. A well developed web application ought to not make any assumptions about the protocol encryption and work either way anyways.

As soon as your server starts being used in a "production" environment - regardless of whether production just means YOU are using it, or you have actual customers using it, the server should have proper SSL certs. Those certs can be self-signed or signed by a CA that you yourself control rather than buying a cert from a third party CA, but they still should be valid.
Webinar: What were the top threats in Q2 2018?

Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that describes and analyzes the top threat trends impacting companies around the world. Are you ready to learn more about the top threats of Q2 2018? Register for our Sept. 26th webinar to learn more!

S ConnellyTechnical WriterAuthor Commented:
Hello Frosty555,

>Adding exceptions defeats the purpose of SSL, which is why Browsers make it intentionally cumbersome and
>difficult to do so.

But it is easy to add an exception in Firefox. Ultimately, I was looking for a similar method to do the same in Chrome. Shall I assume there is no way to create an exception in Chrome?

In my original q, I mentioned that I did not want to use the command line exception because that is a blanket exception.

The point of this EE q was to simply discover if Chrome offered a way to create a single SSL exception. I am guessing it isn't possible.

No chrome does not have that particular feature

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
S ConnellyTechnical WriterAuthor Commented:
Really annoying but there is no simple solution like Firefox offers (via add exception button).
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.