Solved

Adding a certificate exception in Google Chrome?

Posted on 2014-09-26
6
11,797 Views
Last Modified: 2014-10-14
My server application currently has a self-signed certificate and because I must use Google Chrome, I am trying to find a way to add a certificate exception. Recent Chrome 'improvements' appear to have removed this ability.

In Firefox, opening a page with a certificate error is easy to correct (of course, when it is safe to do so) with two steps:
1) Click I Understand the Risks
2) Click Add Exception

Done! The ssl error will no longer appear for this IP.

Question: What are the equivalent steps in Google Chrome?

When opening a page with a certificate error in Chrome, you see the message, "Your connection is not private...Attackers might be trying to steal your information..."

Then you must click, Advanced, see another ominous warning and then click on Proceed to xxx.xxx.xxx.xxx (unsafe) to continue to the intended web page.

This warning is repeated every time I need to access my web server. Very annoying!

I have even attempted (in vain) to add the certificate into Chrome's cert listing. For example:
1. Click on certificate icon in address bar
2. Certificate information
3. Details tab
4. Copy to file
5. Select Base-64  encoded .cer
6. Save file
7, From Chrome Advanced settings  Manage SSL, import it to Trusted RCA


Unfortunately, even those steps (and variations) failed to stop this error!

Ideally, I just want to add in an exception!

NOTES:
1) Getting a proper cert is not an option, at this time.
2) I need to use Chrome (even if FF will immediately solve this issue :))
3) I can't use the CLI and add --ignore-certificate-errors because I don't want to blanket ignore all cert errors.

Anyone know how to add a ssl exception in Chrome?

Thanks so much!
0
Comment
Question by:sconnell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 31

Expert Comment

by:Frosty555
ID: 40346729
The problem most likely is a mismatch of the common name on the certificate with the hostname you are using to access your webserver.

even if you import the certificate into the Trusted Root Certificate Authorities store on your system all other aspects of the SSL certificate presented by your webserver must be valid or you're going to get warnings. This is because a self-signed certificate is STILL an SSL certificate, and it still goes through all the usual rigor of SSL, including testing that the common name matches, testing the expiry date, testing that the cert has not been revoked, and testing that the certificate is trusted.

Importing it into your Trusted Root Certificate Authority list just tells your computer to trust the certificate. All the rest of the tests still have to pass.

Go back into Certificate Information, go to the Details tab, select the "Subject" record, and check what it says under "CN = xxxxxx", that's the common name of the certificate and that's the hostname you must use to connect to the webserver.

If the certificate's common name was set to something sensible like the short hostname of your webserver, you can edit your computer's hosts file or configure a local DNS server so the name resolves properly to your webserver's IP address.

But if the SSL cert's common name is something unusable, like "localhost", or an IP Address, or something else invalid because it was auto-generated by your server when you installed Apache... you will have to recreate and import a new SSL certificate on your webserver.
0
 
LVL 4

Author Comment

by:sconnell
ID: 40346750
Hello Frosty555,

Thanks for your reply.

The CN value is "sensible" = testserver01

>edit your computer's hosts file or configure a local DNS server so the name resolves properly

Okay, that isn't a lot of work but I would much rather simply make an exception (like I can with Firefox). Is this at all possible in Chrome?

I don't want to have to do this throughout the testing phase... it is quite possible that I'll need to do this a 100 times as IP and certs change through the alpha and beta stages. That will be very frustrating and time wasting.

Regardless, I really appreciate your answer as it is a 'correct' answer, even if it isn't what I wanted. :)
0
 
LVL 31

Expert Comment

by:Frosty555
ID: 40346853
Adding exceptions defeats the purpose of SSL, which is why Browsers make it intentionally cumbersome and difficult to do so.

Really, unless you are re-creating your entire webserver over and over again, there's no reason why the SSL certificate should need to change.  If the IP address changes on your webserver, that's no problem, just update your hosts file with the new IP address, there's no need to touch the SSL certificate. Even if you are re-creating the whole webserver or spinning up new ones for testing purpose, just keep the original private keys for your SSL cert and re-use them instead of generating new ones.

For testing purposes in volatile environments, the easiest and really the only way to make an exception for a website is to just click the "Advanced->Proceed to xxx.xxx.xxx.xxx" link in Chrome. That will cause Chrome to temporarily exclude that particular website from SSL cert checks for the remainder of the session, which could easily last all day if you're continuously developing and testing.

Or, use the --ignore-certificate-errors command line flag and have that particular instance of Chrome completely disable SSL warnings. You can create a separate shortcut for "Chrome without SSL warnings" on your desktop that you only use for development and testing purposes.

Or, last option, is do the majority of your development using unencrypted HTTP connections instead of HTTPS, and just test periodically to make sure HTTPS works. A well developed web application ought to not make any assumptions about the protocol encryption and work either way anyways.

As soon as your server starts being used in a "production" environment - regardless of whether production just means YOU are using it, or you have actual customers using it, the server should have proper SSL certs. Those certs can be self-signed or signed by a CA that you yourself control rather than buying a cert from a third party CA, but they still should be valid.
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 4

Author Comment

by:sconnell
ID: 40346895
Hello Frosty555,

>Adding exceptions defeats the purpose of SSL, which is why Browsers make it intentionally cumbersome and
>difficult to do so.

But it is easy to add an exception in Firefox. Ultimately, I was looking for a similar method to do the same in Chrome. Shall I assume there is no way to create an exception in Chrome?

In my original q, I mentioned that I did not want to use the command line exception because that is a blanket exception.

The point of this EE q was to simply discover if Chrome offered a way to create a single SSL exception. I am guessing it isn't possible.

Thanks
0
 
LVL 31

Accepted Solution

by:
Frosty555 earned 500 total points
ID: 40347141
No chrome does not have that particular feature
0
 
LVL 4

Author Closing Comment

by:sconnell
ID: 40380524
Really annoying but there is no simple solution like Firefox offers (via add exception button).
Thanks
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Internet is a big network which is formed by connecting multiple small networks.It is a platform for all the users which are connected to it.Internet act as platform in different fields. Such as: Internet  as a collaboration platform. Internet  as…
Do you come here a lot? Are you lazy like me and don't want to go through the "trouble" of having to click your Dock's Safari icon and then having to click your Experts Exchange Favorites bookmark to get here? Well then this article is for you.
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question