Getting Chrome to accept self-signed localhost certificate

Question

I have created a self-signed SSL certificate for the localhost CN. Firefox accepts this certificate after initially complaining about it, as expected. Chrome and IE, however

Answer 1

As someone has noted, you need to restart ALL of Chrome, not just the browser windows. The fastest way to do this is to open a tab to...

chrome://restart

Answer 2

When clicking the little crossed out lock icon next to the URL, you'll get a box looking like this:

After clicking the Certificate information link, you'll see the following dialog:

It tells you which certificate store is the correct one, it's the Trusted Root Certification Authorities store.

You can either use one of the methods outlined in the other answers to add the certificate to that store or use:

certutil -addstore -user "ROOT" cert.pem

• ROOT is the internal name of the certificate store mentioned earlier.
• cert.pem is the name of your self-signed certificate.

Answer 3

To create a self signed certificate in Windows that Chrome v58 and later will trust, launch Powershell with elevated privileges and type:

New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "fruity.local" -DnsName "fruity.local", "*.fruity.local" -FriendlyName "FruityCert" -NotAfter (Get-Date).AddYears(10)
#notes: 
#    -subject "*.fruity.local" = Sets the string subject name to the wildcard *.fruity.local
#    -DnsName "fruity.local", "*.fruity.local"
#         ^ Sets the subject alternative name to fruity.local, *.fruity.local. (Required by Chrome v58 and later)
#    -NotAfter (Get-Date).AddYears(10) = make the certificate last 10 years. Note: only works from Windows Server 2016 / Windows 10 onwards!!

Once you do this, the certificate will be saved to the Local Computer certificates under the Personal\Certificates store.

You want to copy this certificate to the Trusted Root Certification Authorities\Certificates store.

One way to do this: click the Windows start button, and type certlm.msc. Then drag and drop the newly created certificate to the Trusted Root Certification Authorities\Certificates store per the below screenshot.

Answer 4

On the Mac, you can use the Keychain Access utility to add the self-signed certificate to the System keychain, and Chrome will then accept it. I found the step-by-step instructions here:

Google Chrome, Mac OS X and Self-Signed SSL Certificates

Basically:

1. double-click the lock icon with an X and drag-and-drop the certificate icon to the desktop,
2. open this file (ending with a .cer extension); this opens the keychain application which allows you to approve the certificate.

Answer 5

This post is already flooded with responses, but I created a bash script based on some of the other answers to make it easier to generate a self-signed TLS certificate valid in Chrome (Tested in Chrome 65.x). Hope it's useful to others.

self-signed-tls bash script

After you install (and trust) the certificate, don't forget to restart Chrome (chrome://restart)

---

Another tool worth checking out is CloudFlare's cfssl toolkit:

cfssl

Answer 6

On the Mac, you can create a certificate that's fully trusted by Chrome and Safari at the system level by doing the following:

    # create a root authority cert
    ./create_root_cert_and_key.sh
    
    # create a wildcard cert for mysite.com
    ./create_certificate_for_domain.sh mysite.com
    
    # or create a cert for www.mysite.com, no wildcards
    ./create_certificate_for_domain.sh www.mysite.com www.mysite.com

The above uses the following scripts, and a supporting file v3.ext, to avoid subject alternative name missing errors

If you want to create a new self signed cert that's fully trusted using your own root authority, you can do it using these scripts.

create_root_cert_and_key.sh

    #!/usr/bin/env bash
    openssl genrsa -out rootCA.key 2048
    openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

create_certificate_for_domain.sh

    #!/usr/bin/env bash
    
    if [ -z "$1" ]
    then
      echo "Please supply a subdomain to create a certificate for";
      echo "e.g. www.mysite.com"
      exit;
    fi
    
    if [ ! -f rootCA.pem ]; then
      echo 'Please run "create_root_cert_and_key.sh" first, and try again!'
      exit;
    fi
    if [ ! -f v3.ext ]; then
      echo 'Please download the "v3.ext" file and try again!'
      exit;
    fi
    
    # Create a new private key if one doesnt exist, or use the xeisting one if it does
    if [ -f device.key ]; then
      KEY_OPT="-key"
    else
      KEY_OPT="-keyout"
    fi
    
    DOMAIN=$1
    COMMON_NAME=${2:-*.$1}
    SUBJECT="/C=CA/ST=None/L=NB/O=None/CN=$COMMON_NAME"
    NUM_OF_DAYS=825
    openssl req -new -newkey rsa:2048 -sha256 -nodes $KEY_OPT device.key -subj "$SUBJECT" -out device.csr
    cat v3.ext | sed s/%%DOMAIN%%/"$COMMON_NAME"/g > /tmp/__v3.ext
    openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days $NUM_OF_DAYS -sha256 -extfile /tmp/__v3.ext 
    
    # move output files to final filenames
    mv device.csr "$DOMAIN.csr"
    cp device.crt "$DOMAIN.crt"
    
    # remove temp file
    rm -f device.crt;
    
    echo 
    echo "###########################################################################"
    echo Done! 
    echo "###########################################################################"
    echo "To use these files on your server, simply copy both $DOMAIN.csr and"
    echo "device.key to your webserver, and use like so (if Apache, for example)"
    echo 
    echo "    SSLCertificateFile    /path_to_your_files/$DOMAIN.crt"
    echo "    SSLCertificateKeyFile /path_to_your_files/device.key"

v3.ext

    authorityKeyIdentifier=keyid,issuer
    basicConstraints=CA:FALSE
    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    subjectAltName = @alt_names
    
    [alt_names]
    DNS.1 = %%DOMAIN%%

One more step - How to make the self signed certs fully trusted in Chrome/Safari

To allow the self signed certificates to be FULLY trusted in Chrome and Safari, you need to import a new certificate authority into your Mac. To do so follow these instructions, or the more detailed instructions on this general process on the mitmproxy website:

You can do this one of 2 ways, at the command line, using this command which will prompt you for your password:

$ sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain rootCA.pem

or by using the Keychain Access app:

1. Open Keychain Access
2. Choose "System" in the "Keychains" list
3. Choose "Certificates" in the "Category" list
4. Choose "File | Import Items..."
5. Browse to the file created above, "rootCA.pem", select it, and click "Open"
6. Select your newly imported certificate in the "Certificates" list.
7. Click the "i" button, or right click on your certificate, and choose "Get Info"
8. Expand the "Trust" option
9. Change "When using this certificate" to "Always Trust"
10. Close the dialog, and you'll be prompted for your password.
11. Close and reopen any tabs that are using your target domain, and it'll be loaded securely!

and as a bonus, if you need java clients to trust the certificates, you can do so by importing your certs into the java keystore. Note this will remove the cert from the keystore if it already exists, as it needs to update it in case things change. It of course only does this for the certs being imported.

import_certs_in_current_folder_into_java_keystore.sh

KEYSTORE="$(/usr/libexec/java_home)/jre/lib/security/cacerts";

function running_as_root()
{
  if [ "$EUID" -ne 0 ]
    then echo "NO"
    exit
  fi

  echo "YES"
}

function import_certs_to_java_keystore
{
  for crt in *.crt; do 
    echo prepping $crt 
    keytool -delete -storepass changeit -alias alias__${crt} -keystore $KEYSTORE;
    keytool -import -file $crt -storepass changeit -noprompt --alias alias__${crt} -keystore $KEYSTORE
    echo 
  done
}

if [ "$(running_as_root)" == "YES" ]
then
  import_certs_to_java_keystore
else
  echo "This script needs to be run as root!"
fi