Getting Chrome to accept self-signed localhost certificate

Question

I have created a self-signed SSL certificate for the localhost CN. Firefox accepts this certificate after initially complaining about it, as expected. Chrome and IE, however

Answer 1

Are you sure the address the site is being served up as is the same as the certificate? I had the same problems with Chrome and a self-signed cert, but in the end I found it was just incredibly picky about the validation of the domain name on the cert (as it should be).

Chrome doesn't have it's own cert store and uses Window's own. However Chrome provides no way to import certs into the store so you should add them via IE instead.

Installing Certificates in Google Chrome

Installing Certificates in Internet Explorer

Also take a look at this for a couple of different approaches to creating self-signed certs (I'm assuming you're using IIS as you haven't mentioned).

How to Create a Self Signed Certificate in IIS 7

Answer 2

As of Chrome 58+ I started getting certificate error on macOS due missing SAN. Here is how to get the green lock on address bar again.

1. Generate a new certificate with the following command:

   openssl req \
     -newkey rsa:2048 \
     -x509 \
     -nodes \
     -keyout server.key \
     -new \
     -out server.crt \
     -subj /CN=*.domain.dev \
     -reqexts SAN \
     -extensions SAN \
     -config <(cat /System/Library/OpenSSL/openssl.cnf \
         <(printf '[SAN]\nsubjectAltName=DNS:*.domain.dev')) \
     -sha256 \
     -days 720
   

2. Import the server.crt into your KeyChain, then double click in the certificate, expand the Trust, and select Always Trust

Refresh the page https://domain.dev in Google Chrome, so the green lock is back.

Answer 3

mkdir CA
openssl genrsa -aes256 -out CA/rootCA.key 4096
openssl req -x509 -new -nodes -key CA/rootCA.key -sha256 -days 1024 -out CA/rootCA.crt

openssl req -new -nodes -keyout example.com.key -out domain.csr -days 3650 -subj "/C=US/L=Some/O=Acme, Inc./CN=example.com"
openssl x509 -req -days 3650 -sha256 -in domain.csr -CA CA/rootCA.crt -CAkey CA/rootCA.key -CAcreateserial -out example.com.crt -extensions v3_ca -extfile <(
cat <<-EOF
[ v3_ca ]
subjectAltName = DNS:example.com
EOF
)

Answer 4

1. Add the CA certificate in the trusted root CA Store.

2. Go to chrome and enable this flag!

chrome://flags/#allow-insecure-localhost

At last, simply use the *.me domain or any valid domains like *.com and *.net and maintain them in the host file. For my local devs, I use *.me or *.com with a host file maintained as follows:

3. Add to host. C:/windows/system32/drivers/etc/hosts

   127.0.0.1 nextwebapp.me

Note: If the browser is already opened when doing this, the error will keep on showing. So, please close the browser and start again. Better yet, go incognito or start a new session for immediate effect.

Answer 5

The GUI for managing SSL certs on Chromium on Linux did NOT work properly for me. However, their docs gave the right answer. The trick was to run the command below that imports the self-signed SSL cert. Just update the name of the <certificate-nickname> and certificate-filename.cer, then restart chromium/chrome.

From the Docs:

On Linux, Chromium uses the NSS Shared DB. If the built-in manager does not work for you then you can configure certificates with the NSS command line tools.

Get the tools

• Debian/Ubuntu: sudo apt-get install libnss3-tools

• Fedora: su -c "yum install nss-tools"

• Gentoo: su -c "echo 'dev-libs/nss utils' >> /etc/portage/package.use && emerge dev-libs/nss" (You need to launch all commands below with the nss prefix, e.g., nsscertutil.) Opensuse: sudo zypper install mozilla-nss-tools

To trust a self-signed server certificate, we should use

certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n <certificate-nickname> -i certificate-filename.cer

List all certificates

certutil -d sql:$HOME/.pki/nssdb -L

The TRUSTARGS are three strings of zero or more alphabetic characters, separated by commas. They define how the certificate should be trusted for SSL, email, and object signing, and are explained in the certutil docs or Meena's blog post on trust flags.

Add a personal certificate and private key for SSL client authentication Use the command:

pk12util -d sql:$HOME/.pki/nssdb -i PKCS12_file.p12

to import a personal certificate and private key stored in a PKCS #12 file. The TRUSTARGS of the personal certificate will be set to “u,u,u”.

Delete a certificate certutil -d sql:$HOME/.pki/nssdb -D -n <certificate nickname>

Excerpt From: https://chromium.googlesource.com/chromium/src/+/HEAD/docs/linux_cert_management.md

Answer 6

This is something that keeps coming up -- especially for Google Chrome on Mac OS X Yosemite!

Thankfully, one of our development team sent me this link today, and the method works reliably, whilst still allowing you to control for which sites you accept certificates.

https://www.reddit.com/r/sysadmin/comments/3ercx4/chrome_shortcut_past_the_your_connection_is_not/cthporl

jersully posts:

If you don't want to bother with internal certificates...

1. Type chrome://flags/ in the address bar.
2. Scroll to or search for Remember decisions to proceed through SSL errors for a specified length of time.
3. Select Remember for three months.