Getting Chrome to accept self-signed localhost certificate

Question

I have created a self-signed SSL certificate for the localhost CN. Firefox accepts this certificate after initially complaining about it, as expected. Chrome and IE, however

Answer 1

This worked for me:

1. Using Chrome, hit a page on your server via HTTPS and continue past the red warning page (assuming you haven't done this already).
2. Open up Chrome Settings > Show advanced settings > HTTPS/SSL > Manage Certificates.
3. Click the Authorities tab and scroll down to find your certificate under the Organization Name that you gave to the certificate.
4. Select it, click Edit (NOTE: in recent versions of Chrome, the button is now "Advanced" instead of "Edit"), check all the boxes and click OK. You may have to restart Chrome.

You should get the nice green lock on your pages now.

EDIT: I tried this again on a new machine and the certificate did not appear on the Manage Certificates window just by continuing from the red untrusted certificate page. I had to do the following:

1. On the page with the untrusted certificate (https:// is crossed out in red), click the lock > Certificate Information. NOTE: on newer versions of chrome, you have to open Developer Tools > Security, and select View certificate.
2. Click the Details tab > Export. Choose PKCS #7, single certificate as the file format.
3. Then follow my original instructions to get to the Manage Certificates page. Click the Authorities tab > Import and choose the file to which you exported the certificate, and make sure to choose PKCS #7, single certificate as the file type.
4. If prompted certification store, choose Trusted Root Certificate Authorities
5. Check all boxes and click OK. Restart Chrome.

Answer 2

I went down the process of using what bjnord suggested which was: Google Chrome, Mac OS X and Self-Signed SSL Certificates

What is shown in the blog did not work.

However, one of the comments to the blog was gold:

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain site.crt

You'll need to follow the blog on how to get the cert file, after that you can use the command above and should be good to go.

Answer 3

Click anywhere on the page and type a BYPASS_SEQUENCE

"thisisunsafe" is a BYPASS_SEQUENCE for Chrome version 65

"badidea" Chrome version 62 - 64.

"danger" used to work in earlier versions of Chrome

You don't need to look for input field, just type it. It feels strange but it is working.

I tried it on Mac High Sierra.

To double check if they changed it again go to Latest chromium Source Code

To look for BYPASS_SEQUENCE, at the moment it looks like that:

var BYPASS_SEQUENCE = window.atob('dGhpc2lzdW5zYWZl');

Now they have it camouflaged, but to see the real BYPASS_SEQUENCE you can run following line in a browser console.

console.log(window.atob('dGhpc2lzdW5zYWZl'));

Answer 4

For localhost only:

Simply paste this in your chrome:

chrome://flags/#allow-insecure-localhost

You should see highlighted text saying: Allow invalid certificates for resources loaded from localhost

Click Enable.

Answer 5

2020-05-22: With only 5 openssl commands, you can accomplish this.

Please do not change your browser security settings.

With the following code, you can (1) become your own CA, (2) then sign your SSL certificate as a CA. (3) Then import the CA certificate (not the SSL certificate, which goes onto your server) into Chrome/Chromium. (Yes, this works even on Linux.)

######################
# Become a Certificate Authority
######################

# Generate private key
openssl genrsa -des3 -out myCA.key 2048
# Generate root certificate
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem

######################
# Create CA-signed certs
######################

NAME=mydomain.com # Use your own domain name
# Generate a private key
openssl genrsa -out $NAME.key 2048
# Create a certificate-signing request
openssl req -new -key $NAME.key -out $NAME.csr
# Create a config file for the extensions
>$NAME.ext cat <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $NAME # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
DNS.2 = bar.$NAME # Optionally, add additional domains (I've added a subdomain here)
IP.1 = 192.168.0.13 # Optionally, add an IP address (if the connection which you have planned requires it)
EOF
# Create the signed certificate
openssl x509 -req -in $NAME.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial \
-out $NAME.crt -days 825 -sha256 -extfile $NAME.ext

To recap:

1. Become a CA
2. Sign your certificate using your CA cert+key
3. Import myCA.pem as an Authority in your Chrome settings (Settings > Manage certificates > Authorities > Import)
4. Use the $NAME.crt and $NAME.key files in your server

Extra steps (for Mac, at least):

1. Import the CA cert at "File > Import file", then also find it in the list, right click it, expand "> Trust", and select "Always"
2. Add extendedKeyUsage=serverAuth,clientAuth below basicConstraints=CA:FALSE, and make sure you set the "CommonName" to the same as $NAME when it's asking for setup

You can check your work

openssl verify -CAfile myCA.pem -verify_hostname bar.mydomain.com mydomain.com.crt

Answer 6

Linux

If you're using Linux, you can also follow this official wiki pages:

• Configuring SSL certificates on Linux.
• NSS Shared DB And LINUX
• NSS Shared DB Howto

Basically:

• click the lock icon with an X,
• choose Certificate Information
• go to Details tab
• Click on Export... (save as a file)

Now, the following command will add the certificate (where YOUR_FILE is your exported file):

certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n YOUR_FILE -i YOUR_FILE

To list all your certificates, run the following command:

certutil -d sql:$HOME/.pki/nssdb -L

If it still doesn't work, you could be affected by this bug: Issue 55050: Ubuntu SSL error 8179

P.S. Please also make sure that you have libnss3-tools, before you can use above commands.

If you don't have, please install it by:

sudo apt-get install libnss3-tools # on Ubuntu
sudo yum install nss-tools # on Fedora, Red Hat, etc.

---

As a bonus, you can use the following handy scripts:

$ cat add_cert.sh
certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n $1 -i $1
$ cat list_cert.sh
certutil -d sql:$HOME/.pki/nssdb -L # add '-h all' to see all built-in certs
$ cat download_cert.sh
echo QUIT | openssl s_client -connect $1:443 | sed -ne '/BEGIN CERT/,/END CERT/p'

Usage:

add_cert.sh [FILE]
list_cert.sh
download_cert.sh [DOMAIN]

---

Troubleshooting

• Run Chrome with --auto-ssl-client-auth parameter

  google-chrome --auto-ssl-client-auth