By pjohansson


2011-09-28 08:41:51 8 Comments

I have created a self-signed SSL certificate for the localhost CN. Firefox accepts this certificate after initially complaining about it, as expected. Chrome and IE, however, refuse to accept it, even after adding the certificate to the system certificate store under Trusted Roots. Even though the certificate is listed as correctly installed when I click "View certificate information" in Chrome's HTTPS popup, it still insists the certificate cannot be trusted.

What am I supposed to do to get Chrome to accept the certificate and stop complaining about it?

30 comments

@mpowrie 2019-05-21 06:20:52

To create a self signed certificate in Windows that Chrome v58 and later will trust, launch Powershell with elevated privileges and type:

New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "fruity.local" -DnsName "fruity.local", "*.fruity.local" -FriendlyName "FruityCert" -NotAfter (Get-Date).AddYears(10)
#notes: 
#    -subject "*.fruity.local" = Sets the string subject name to the wildcard *.fruity.local
#    -DnsName "fruity.local", "*.fruity.local"
#         ^ Sets the subject alternative name to fruity.local, *.fruity.local. (Required by Chrome v58 and later)
#    -NotAfter (Get-Date).AddYears(10) = make the certificate last 10 years. Note: only works from Windows Server 2016 / Windows 10 onwards!!

Once you do this, the certificate will be saved to the Local Computer certificates under the Personal\Certificates store.

You want to copy this certificate to the Trusted Root Certification Authorities\Certificates store.

One way to do this: click the Windows start button, and type certlm.msc. Then drag and drop the newly created certificate to the Trusted Root Certification Authorities\Certificates store per the below screenshot. enter image description here

@rjt 2019-06-07 15:01:02

Did not know about CTRL drag in these cert stores, eager to try this.

@Ray Foss 2019-02-21 20:51:53

For Fedora and Ubuntu, if you're getting example.com Not a Certification authority error when adding the certificate using the gui to add a new root authority.

Try the following with a certificated exported from chrome, any format works (base64 chain/singe, pkcs 7, der binary, etc). This worked for me when ALL the gui methods failed miserably.

certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n <certificate nickname> \
-i <certificate filename>

To see changes, restart chrome, kill it from the background if necessary. Firefox will still complain.

To later delete it if need be, go to Chrome -> Settings -> Advanced -> Manage Certificates -> Servers, it will finally show up there, where it can be deleted.

Source, warning, very very spotty and partially outdated: https://chromium.googlesource.com/chromium/src/+/HEAD/docs/linux_cert_management.md

@Chris 2015-08-09 01:52:39

For localhost only:

Simply paste this in your chrome:

chrome://flags/#allow-insecure-localhost

You should see highlighted text saying: Allow invalid certificates for resources loaded from localhost

Click Enable.

@Hugo Wood 2016-08-29 20:11:42

Disables the warning...but also the cache! bugs.chromium.org/p/chromium/issues/detail?id=103875

@diachedelic 2017-03-25 17:37:44

Did not work for non-localhost domains at 127.0.0.1

@Dongolo Jeno 2017-04-25 09:05:40

If you have Postman open close it also.

@Kayani 2017-12-05 07:24:10

Very clean solution +1

@raphael 2017-12-14 10:13:24

Does not work for local environment TLDs like *.dev or *.app or *.test

@baywet 2018-01-04 18:30:32

this won't work if you're using chrome in Incognito mode (to switch identities for eg) but very clean otherwise

@timbo 2018-06-21 09:43:04

This - if you can stand the annoying red Not Secure msg. Otherwise it's hours of mysterious openssl incantations then trying to deal with the internal cert manager in Chrome.

@Mehdi 2018-08-24 13:37:40

I don't know why this answer has been voted but there is a difference between Invalid certificate and self-signed certificate. The question is about self signed cert.

@Filipe Gorges Reuwsaat 2018-11-01 15:52:06

These steps don't work for self signed certificates; If you attempt to load a certificate at CA section of the cert import module on Chrome, it'll merely state that the certificate does not have a valid CA and won't do anything else, so it'll still complain about the certificate in the end.

@Gunchars 2018-12-28 18:29:59

This will disable any caching of the resources transferred over HTTPS regardless of what any cache headers might say, so be aware of that.

@Vic Seedoubleyew 2019-06-10 17:15:20

Did not work for me at all. What worked for me was to generate a self-signed certificate including subjectAltName, as explained by this answer: stackoverflow.com/a/42917227/2873507

@Soya Bean 2019-03-19 00:11:01

Allowing insecure localhost work fine via this method chrome://flags/#allow-insecure-localhost

Just that you need to create your development hostname to xxx.localhost.

@zkolnik 2017-12-06 17:45:11

Assuming you're on Mac OSX, you can also just open the URL in question in Safari; say; https://localhost:8080/css/app.css, allow the cert. Re-start Chrome, and it will work.

@Carlos Granados 2019-04-01 13:26:47

Not sure why this was downvoted as it works perfectly fine

@Brad Parks 2017-04-27 19:20:54

On the Mac, you can create a certificate that's fully trusted by Chrome and Safari at the system level by doing the following:

# create a root authority cert
./create_root_cert_and_key.sh

# create a wildcard cert for mysite.com
./create_certificate_for_domain.sh mysite.com

# or create a cert for www.mysite.com, no wildcards
./create_certificate_for_domain.sh www.mysite.com www.mysite.com

The above uses the following scripts, and a supporting file v3.ext, to avoid subject alternative name missing errors

If you want to create a new self signed cert that's fully trusted using your own root authority, you can do it using these scripts.

create_root_cert_and_key.sh

#!/usr/bin/env bash
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

create_certificate_for_domain.sh

#!/usr/bin/env bash

if [ -z "$1" ]
then
  echo "Please supply a subdomain to create a certificate for";
  echo "e.g. www.mysite.com"
  exit;
fi

if [ ! -f rootCA.pem ]; then
  echo 'Please run "create_root_cert_and_key.sh" first, and try again!'
  exit;
fi
if [ ! -f v3.ext ]; then
  echo 'Please download the "v3.ext" file and try again!'
  exit;
fi

# Create a new private key if one doesnt exist, or use the xeisting one if it does
if [ -f device.key ]; then
  KEY_OPT="-key"
else
  KEY_OPT="-keyout"
fi

DOMAIN=$1
COMMON_NAME=${2:-*.$1}
SUBJECT="/C=CA/ST=None/L=NB/O=None/CN=$COMMON_NAME"
NUM_OF_DAYS=999
openssl req -new -newkey rsa:2048 -sha256 -nodes $KEY_OPT device.key -subj "$SUBJECT" -out device.csr
cat v3.ext | sed s/%%DOMAIN%%/"$COMMON_NAME"/g > /tmp/__v3.ext
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days $NUM_OF_DAYS -sha256 -extfile /tmp/__v3.ext 

# move output files to final filenames
mv device.csr "$DOMAIN.csr"
cp device.crt "$DOMAIN.crt"

# remove temp file
rm -f device.crt;

echo 
echo "###########################################################################"
echo Done! 
echo "###########################################################################"
echo "To use these files on your server, simply copy both $DOMAIN.csr and"
echo "device.key to your webserver, and use like so (if Apache, for example)"
echo 
echo "    SSLCertificateFile    /path_to_your_files/$DOMAIN.crt"
echo "    SSLCertificateKeyFile /path_to_your_files/device.key"

v3.ext

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = %%DOMAIN%%

One more step - How to make the self signed certs fully trusted in Chrome/Safari

To allow the self signed certificates to be FULLY trusted in Chrome and Safari, you need to import a new certificate authority into your Mac. To do so follow these instructions, or the more detailed instructions on this general process on the mitmproxy website:

You can do this one of 2 ways, at the command line, using this command which will prompt you for your password:

$ sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain rootCA.pem

or by using the Keychain Access app:

  1. Open Keychain Access
  2. Choose "System" in the "Keychains" list
  3. Choose "Certificates" in the "Category" list
  4. Choose "File | Import Items..."
  5. Browse to the file created above, "rootCA.pem", select it, and click "Open"
  6. Select your newly imported certificate in the "Certificates" list.
  7. Click the "i" button, or right click on your certificate, and choose "Get Info"
  8. Expand the "Trust" option
  9. Change "When using this certificate" to "Always Trust"
  10. Close the dialog, and you'll be prompted for your password.
  11. Close and reopen any tabs that are using your target domain, and it'll be loaded securely!

and as a bonus, if you need java clients to trust the certificates, you can do so by importing your certs into the java keystore. Note this will remove the cert from the keystore if it already exists, as it needs to to update it in case things change. It of course only does this for the certs being imported.

import_certs_in_current_folder_into_java_keystore.sh

KEYSTORE="$(/usr/libexec/java_home)/jre/lib/security/cacerts";

function running_as_root()
{
  if [ "$EUID" -ne 0 ]
    then echo "NO"
    exit
  fi

  echo "YES"
}

function import_certs_to_java_keystore
{
  for crt in *.crt; do 
    echo prepping $crt 
    keytool -delete -storepass changeit -alias alias__${crt} -keystore $KEYSTORE;
    keytool -import -file $crt -storepass changeit -noprompt --alias alias__${crt} -keystore $KEYSTORE
    echo 
  done
}

if [ "$(running_as_root)" == "YES" ]
then
  import_certs_to_java_keystore
else
  echo "This script needs to be run as root!"
fi

@donut 2017-05-09 17:03:33

Got "Error opening Private Key rootCA.key" when running $ ./create_root_cert_and_key.sh. macOS 10.12.4 and OpenSSL 0.9.8zh 14 Jan 2016.

@donut 2017-05-09 17:12:18

Running $ openssl genrsa -out rootCA.key 2048 before $ ./create_root_cert_and_key.sh fixes the "Error opening Private Key rootCA.key" error I ran into.

@Brad Parks 2017-05-09 18:42:52

@donut - thanks for pointing this out - i had that line duplicated so i'm sure it caused the issue you saw...

@Lenny 2017-05-09 19:46:37

openssl req -new -newkey rsa:2048 -sha256 -nodes -key device.key -subj "$SUBJECT" -out device.csris giving me the error "Error opening PRivate Key device.key" I thought this command was supposed to create device.key, but it seems to be trying to read it for some reason

@Lenny 2017-05-09 19:49:16

Figured it out the solution (in case anyone else hits this) was to change -key to -keyout... openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout device.key -subj "$SUBJECT" -out device.csr

@cuixiping 2017-05-19 12:24:33

How to use Win32OpenSSL do the same thing on windows 10 ?

@Lonoshea 2017-08-25 19:32:06

For FireFox users, you can Import the rootCA.pem file created in this script to the Authorities tab under the Certificates tab in FF preferences - quick link here - about:preferences#advanced. When creating the .pem file, the common name is what controls the URL that is viewed as secure. Example: Common Name (e.g. server FQDN or YOUR name) []:127.0.0.1 You can run the script again (rename the original so you don't override the first .pem file) and use localhost as a common name for a second time. Import both of these .pem files into FF and you will enjoy Green Locks

@Greg Blass 2017-11-28 12:39:01

I'm still getting an error in Chrome on my machine when doing this for localhost: Certificate error There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).

@Brad Parks 2017-11-28 14:17:19

@gregblass - what domains are you trying to use this for, and what url are you loading in your browser? https://localhost/... or something like that? I just rebuilt my cert for https://localhost and it still seems to be working for me, for what it's worth....

@MarsAndBack 2017-12-05 01:33:06

The steps did not work for me. Starting all over again in a new folder, I followed these steps: ram.k0a1a.net/self-signed_https_cert_after_chrome_58, in addition to the OSX Keychain Access trick, and this greenlighted everything in Chrome.

@FFF 2018-05-01 20:52:03

When I try to generate a cert without wildcards, I get an error, and the .crt file doesn't generate device.csr: No such file or directory

@Brad Parks 2018-05-02 18:48:01

@FFF - did you run the create_certificate_for_domain.sh command first? I just tried it and it worked for me on a mac, both wildcard, and non wildcard approaches

@andrzej1_1 2018-08-23 16:06:36

Easy to use and really working!

@Toby J 2017-03-21 02:12:19

UPDATE FOR CHROME 58+ (RELEASED 2017-04-19)

As of Chrome 58, identifying the host using only commonName is being removed. See further discussion here and bug tracker here. In the past, subjectAltName was used only for multi-host certs so some internal CA tools may not include them.

If your self-signed certs worked fine in the past but suddenly started generating errors in Chrome 58, this is why.

So whatever method you are using to generate your self-signed cert (or cert signed by a self-signed CA), ensure that the server's cert contains a subjectAltName with the proper DNS and/or IP entry/entries, even if it's just for a single host.

For openssl, this means your OpenSSL config (/etc/ssl/openssl.cnf on Ubuntu) should have something similar to the following for a single host:

[v3_ca]   # and/or [v3_req], if you are generating a CSR
subjectAltName = DNS:example.com

or for multiple hosts:

[v3_ca]   # and/or [v3_req], if you are generating a CSR
subjectAltName = DNS:example.com, DNS:host1.example.com, DNS:*.host2.example.com, IP:10.1.2.3

In Chrome's cert viewer (which has moved to "Security" tab under F12) you should see it listed under Extensions as Certificate Subject Alternative Name:

Chrome cert viewer

@DanO 2017-04-28 02:13:11

Thanks for posting about the Chrome 58+ update! For people looking to create a self signed cert that includes a SAN in Windows one easy way is to use the New-SelfSignedCertificate PowerShell commandlet. New-SelfSignedCertificate -DnsName localhost -CertStoreLocation cert:\LocalMachine\My

@Brian Donahue 2017-04-28 18:26:37

@DanO THANK YOU! None of the other workarounds were working for me on Win10. Nice to know at least Powershell generates valid certs!

@IrfanClemson 2017-05-02 13:55:38

Found a solution on Reddit for Chrome 58+ and it works! In Admin command prompt: reg add HKLM\Software\Policies\Google\Chrome /v EnableCommonNameFallbackForLocalAnchors /t REG_DWORD /d 1

@Toby J 2017-05-02 14:21:59

Thanks @Meengla, I'll update the answer to include that info.

@IrfanClemson 2017-05-02 17:25:57

@Toby J, you are welcome. I had almost given up on this until this Reddit answer helped.

@Bugs Bunny 2017-05-04 08:42:59

Workaround for macOS users: defaults write com.google.Chrome EnableCommonNameFallbackForLocalAnchors -bool true.

@Toby J 2017-05-04 18:33:05

@BugsBunny thanks, added that to the answer

@seanf 2017-05-10 02:34:55

To create the policy on Linux, you need to create a policy file, say /etc/opt/chrome/policies/managed/EnableCommonNameFallbackFor‌​LocalAnchors.json with these contents: { "EnableCommonNameFallbackForLocalAnchors": true }

@Toby J 2017-05-10 12:59:05

@seanf thanks, I'll add that one too.

@Shrike 2017-05-12 00:52:29

Also here's info on how to add SubjectAltName in MS certsrv - support.microsoft.com/en-us/help/931351/… TL;DR: add san:dns=dns.name[&dns=dns.name] in Attributes

@ChrisW 2017-05-26 20:41:28

I found the command-line suggested by @DanO's comment insufficient. But it worked with the additional commands listed in the script at github.com/webpack/webpack-dev-server/issues/…

@Maciej Krawczyk 2017-05-27 07:09:04

Don't forget about setting basicConstraints = CA:TRUE under [v3_req] or Chrome won't allow you to add the certificate (at least on Linux)

@Vinney Kelly 2017-07-05 15:05:45

I'm currently using Chrome 59.0.3071.115 (64-bit) on Windows 10 (pre-release build, unfortunately). The fallback hack didn't do the trick for me. :(

@gerleim 2017-10-04 12:03:07

Does this work with certificate issued for and by localhost, if I add subjectAltName = DNS:127.0.0.1?

@Toby J 2017-10-04 13:32:39

@gerleim I think in that case you would use IP:127.0.0.1 instead, but yes you can use a cert in that manner as long as the URL was 127.0.0.1

@gerleim 2017-10-04 13:42:26

@Toby J Thanks, yes it does work, I will publish my samples. OTOH it still does not work with Firefox ;)

@Thunderforge 2018-01-23 18:41:31

"In Chrome's cert viewer (which has moved to "Security" tab under F12) you should see it listed under Extensions as Certificate Subject Alternative Name". I don't see any "Extensions" section when I bring up the Security tab in the F12 dev tools (Chrome 62). Has it been moved to elsewhere?

@Toby J 2018-01-23 21:07:40

@Thunderforge I was referring to the Cert Viewer, so you need to click on "View Certificate" on the Security tab page. However, it looks like the Cert Viewer itself is platform-specific, so the location of where the SAN is displayed may be slightly different.

@Ray Foss 2018-02-22 00:09:03

Still works on Chrome 64 serverfault.com/a/845788/59123

@Suhail Gupta 2019-01-08 11:18:03

Not working on chrome ubuntu

@TetraDev 2018-11-28 02:18:57

The GUI for managing SSL certs on Chromium on Linux did NOT work properly for me. However, their docs gave the right answer. The trick was to run the command below that imports the self-signed SSL cert. Just update the name of the <certificate-nickname> and certificate-filename.cer, then restart chromium/chrome.

From the Docs:

On Linux, Chromium uses the NSS Shared DB. If the built-in manager does not work for you then you can configure certificates with the NSS command line tools.

Get the tools

  • Debian/Ubuntu: sudo apt-get install libnss3-tools

  • Fedora: su -c "yum install nss-tools"

  • Gentoo: su -c "echo 'dev-libs/nss utils' >> /etc/portage/package.use && emerge dev-libs/nss" (You need to launch all commands below with the nss prefix, e.g., nsscertutil.) Opensuse: sudo zypper install mozilla-nss-tools

To trust a self-signed server certificate, we should use

certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n <certificate-nickname> -i certificate-filename.cer

List all certificates

certutil -d sql:$HOME/.pki/nssdb -L

The TRUSTARGS are three strings of zero or more alphabetic characters, separated by commas. They define how the certificate should be trusted for SSL, email, and object signing, and are explained in the certutil docs or Meena's blog post on trust flags.

Add a personal certificate and private key for SSL client authentication Use the command:

pk12util -d sql:$HOME/.pki/nssdb -i PKCS12_file.p12

to import a personal certificate and private key stored in a PKCS #12 file. The TRUSTARGS of the personal certificate will be set to “u,u,u”.

Delete a certificate certutil -d sql:$HOME/.pki/nssdb -D -n <certificate nickname>

Excerpt From: https://chromium.googlesource.com/chromium/src/+/HEAD/docs/linux_cert_management.md

@kmgdev 2013-09-03 22:56:12

UPDATE 11/2017: This answer probably won't work for most newer versions of Chrome.

UPDATE 02/2016: Better Instructions for Mac Users Can be Found Here.

  1. On the site you want to add, right-click the red lock icon in the address bar:enter image description here

    1. Click the tab labeled Connection, then click Certificate Information

    2. Click the Details tab, the click the button Copy to File.... This will open the Certificate Export Wizard, click Next to get to the Export File Format screen.

    3. Choose DER encoded binary X.509 (.CER), click Next

    4. Click Browse... and save the file to your computer. Name it something descriptive. Click Next, then click Finish.

    5. Open Chrome settings, scroll to the bottom, and click Show advanced settings...

    6. Under HTTPS/SSL, click Manage certificates...

    7. Click the Trusted Root Certification Authorities tab, then click the Import... button. This opens the Certificate Import Wizard. Click Next to get to the File to Import screen.

    8. Click Browse... and select the certificate file you saved earlier, then click Next.

    9. Select Place all certificates in the following store. The selected store should be Trusted Root Certification Authorities. If it isn't, click Browse... and select it. Click Next and Finish

    10. Click Yes on the security warning.

    11. Restart Chrome.

@Chris Snow 2013-09-27 08:37:48

The Copy To File should be renamed to Save Certificate to make it clear what it is doing.

@A23149577 2014-07-15 06:44:59

I did it, doesn't work for me :(

@kmgdev 2014-07-15 16:56:50

@AJeneral Yeah, Chrome changed again. The instructions in this article worked for me recently.

@JeffryHouser 2014-08-06 22:14:16

I followed these steps on Version 36.0.1985.125 on windows and it worked for me

@jprism 2015-04-20 21:27:07

Works for me after following step by step. Thanks

@y3sh 2015-09-23 21:44:05

This option doesn't exist on Mac Chrome latest as of the date of this comment.

@Pacerier 2015-11-06 10:25:00

@kgrote, Chrome does not have it's own certificate store. All it's doing is adding and removing the Windows one. As such, a better way is to simply use certmgr.msc to add and delete certs.

@Xin 2016-02-19 05:18:55

does not work on my machine (win10 + chrome48)

@ioanb7 2016-08-05 17:26:17

Did work for me, thanks. Had to restart Chrome and most importantly my certificate had to expire before 2017. SHA-1 stuff.

@MasterJoe2 2017-01-27 01:06:17

I am trying to import fiddler tool's root certificate in chrome 55 on Windows 7 64 bit. This does NOT work. The cert does not appear in the Trusted store.

@Bruno Bronosky 2017-09-12 14:20:38

CHROME CHANGED YET AGAIN! Now the step "In the address bar, click the little lock with the X. This will bring up a small information screen." doesn't work.

@Tom 2017-11-03 12:41:05

If it doesn't work make sure to check additionally answer UPDATE FOR CHROME 58+ (RELEASED 2017-04-19)

@poshest 2018-06-07 20:16:20

Requires Chrome restart for me (Windows 7, Chrome version 66)

@TetraDev 2018-11-08 22:48:09

Works, thanks! I did have to restart chrome though on version 70

@Logan 2017-09-15 16:25:55

This post is already flooded with responses, but I created a bash script based on some of the other answers to make it easier to generate a self-signed TLS certificate valid in Chrome (Tested in Chrome 65.x). Hope it's useful to others.

self-signed-tls bash script

After you install (and trust) the certificate, don't forget to restart Chrome (chrome://restart)


Another tool worth checking out is CloudFlare's cfssl toolkit:

cfssl

@Alex Ivasyuv 2018-06-15 15:59:06

mkdir CA
openssl genrsa -aes256 -out CA/rootCA.key 4096
openssl req -x509 -new -nodes -key CA/rootCA.key -sha256 -days 1024 -out CA/rootCA.crt

openssl req -new -nodes -keyout example.com.key -out domain.csr -days 3650 -subj "/C=US/L=Some/O=Acme, Inc./CN=example.com"
openssl x509 -req -days 3650 -sha256 -in domain.csr -CA CA/rootCA.crt -CAkey CA/rootCA.key -CAcreateserial -out example.com.crt -extensions v3_ca -extfile <(
cat <<-EOF
[ v3_ca ]
subjectAltName = DNS:example.com
EOF
)

@msw1520 2018-05-05 02:09:05

I had success following the answer by kellen with the vital update from Toby J, but had to make this revision:

When creating the self-signed certificate, it was necessary to place the new subjectAltName field under the v3_ca extensions, instead of v3_req. I copied /etc/ssl/openssl.conf to a temporary file and then added a line subjectAltName = DNS:*.example.com under [ v3_ca ]. Then passed that file to the cert creation command, something like

  openssl req -x509 -nodes -newkey rsa:2048 \
          -config /tmp/openssl-revised.cfg \
          -keyout example.com.key -out example.com.crt

and followed kellen's updated steps.

@Hannes Schneidermayer 2018-04-06 12:56:51

I tried everything and what made it work: When importing, select the right category, namely Trusted Root Certificate Authorities:

(sorry it's German, but just follow the image)

enter image description here

@Raman 2016-08-12 20:38:08

UPDATED Apr 3/2018

Recommended by the Chromium Team

https://www.chromium.org/Home/chromium-security/deprecating-powerful-features-on-insecure-origins#TOC-Testing-Powerful-Features

Quick Super-Easy Solution

There is a secret bypass phrase that can be typed into the error page to have Chrome proceed despite the security error: thisisunsafe (in earlier versions of Chrome, type badidea, and even earlier, danger). DO NOT USE THIS UNLESS YOU UNDERSTAND EXACTLY WHY YOU NEED IT!

Source:

https://chromium.googlesource.com/chromium/src/+/d8fc089b62cd4f8d907acff6fb3f5ff58f168697%5E%21/

(NOTE that window.atob('dGhpc2lzdW5zYWZl') resolves to thisisunsafe)

The latest version of the source is @ https://chromium.googlesource.com/chromium/src/+/refs/heads/master/components/security_interstitials/core/browser/resources/interstitial_large.js and the window.atob function can be executed in a JS console.

For background about why the Chrome team changed the bypass phrase (the first time):

https://bugs.chromium.org/p/chromium/issues/detail?id=581189

If all else fails

For quick one-offs if the "Proceed Anyway" option is not available, nor the bypass phrase is working, this hack works well:

  1. Allow certificate errors from localhost by enabling this flag (note Chrome needs a restart after changing the flag value):

    chrome://flags/#allow-insecure-localhost

    (and vote-up answer https://stackoverflow.com/a/31900210/430128 by @Chris)

  2. If the site you want to connect to is localhost, you're done. Otherwise, setup a TCP tunnel to listen on port 8090 locally and connect to broken-remote-site.com on port 443, ensure you have socat installed and run something like this in a terminal window:

    socat tcp-listen:8090,reuseaddr,fork tcp:broken-remote-site.com:443

  3. Go to https://localhost:8090 in your browser.

@smihael 2016-08-23 12:24:14

As stated on quora.com/…, another option is to click anywhere on the page and write "badidea"

@formatkaka 2017-08-23 16:15:33

Anyone trying to use localhost with https for service workers, the first point of If-all-fails worked for me on chrome 60 ubuntu 14.04

@Ray Foss 2019-02-21 20:39:28

this will still treat the cert as invalid and make the password manage refuse to work

@Yevgeniy Afanasyev 2017-12-05 05:08:47

Click anywhere on the page and type a BYPASS_SEQUENCE

"thisisunsafe" is a BYPASS_SEQUENCE for Chrome version 65

"badidea" Chrome version 62 - 64.

"danger" used to work in earlier versions of Chrome

You don't need to look for input field, just type it. It feels strange but it is working.

I tried it on Mac High Sierra.

To double check if they changed it again go to Latest chromium Source Code

To look for BYPASS_SEQUENCE, at the moment it looks like that:

var BYPASS_SEQUENCE = window.atob('dGhpc2lzdW5zYWZl');

Now they have it camouflaged, but to see the real BYPASS_SEQUENCE you can run following line in a browser console.

console.log(window.atob('dGhpc2lzdW5zYWZl'));

@gries 2017-12-20 09:25:01

wtf, thanks this worked for me ubuntu 16.04 63.0.3239.84

@ecorvo 2017-12-22 23:50:04

WTF lol it actually works! Thanks

@vicenteherrera 2017-12-25 18:52:16

WTF+1, MacOs High Sierra

@SHoko 2018-02-23 21:31:22

On ubuntu 17.10 works too

@The Java Guy 2018-03-07 03:26:40

This code has been changed since new version. New phrase is thisisunsafe

@Ryan 2018-03-31 22:32:56

In Chrome 65 on Windows 10, typing thisisunsafe seems to only have the affect of adding this site to the exceptions. (The address bar still says "Not secure" in red.)

@talsibony 2018-05-07 15:01:45

this is working but just for the first load, if you navigate the page you have to type again the bupass_squence

@michidk 2018-09-17 20:35:11

thank you! this was the only solution which worked for me!

@Jono 2018-11-25 15:19:41

"thisisunsafe" BYPASS_SEQUENCE was the only thing from this page that worked for me on Mac Chrome 72. I feel like I didnt need to bother creating my self-signed cert...!

@Yevgeniy Afanasyev 2019-01-17 03:16:06

Children? Why? Who said it?

@Alykoff Gali 2018-02-01 09:21:15

For Chrome on MacOS, if you have prepared a certificate:

  • Quit Chrome (cmd+Q).
  • Start the Keychain Access app and open the "Certificates" category.
  • Drag your certificate file onto the Keychain Access window and type the password for the certificate file.
  • Double click on your certificate and unfold the "Trust" list.
    • In row "When using this certificate," choose "Always Trust."
    • Close this stuff and type your password.
  • Start Chrome and clear all caches.
  • Check that everything is ok.

@Fodort 2017-12-14 06:38:02

It didn't work for me when I tried to import the certificate in the browser... In chrome open Developer Tools > Security, and select View certificate. Click the Details tab and export it.

// LINUX

sudo apt-get install libnss3-tools 

certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n [EXPORTED_FILE_PATH] -i [EXPORTED_FILE_PATH]

Run this command and if you see the file You've just imported You are good to go!

 certutil -d sql:$HOME/.pki/nssdb -L

// Windows

Start => run => certmgr.msc

On the left side select Trusted Root Certification Authorities => Personal. Click on actions tab => All actions/import then choose the file You exported before from the browser

Don't forget to restart chrome!!!

GOOD LUCK! ;)

@RedGiant 2017-12-15 09:38:06

It works on desktop, but is it possible to have a solution for mobile chrome? My mobile accesses the localhost via https://192.168.1.127

@Layne Faler 2017-11-29 14:42:31

I fixed this problem for myself without changing the settings on any browsers with proper SSL certifications. I use a mac so it required a keychain update to my ssl certifications. I had to add subject alt names to the ssl certification for chrome to accept it. As of today, this is for Chrome version number: 62.0.3202.94

My example are easy to use commands and config files:

add these files and this example is all in one root directory

ssl.conf

[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
stateOrProvinceName         = State or Province Name (full name)
localityName                = Locality Name (eg, city)
organizationName            = Organization Name (eg, company)
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1   = localhost

Run command to create certification:

openssl req -newkey rsa:4096 -nodes -keyout key.pem -x509 -days 3650 -out certificate.pem -extensions req_ext -config ssl.conf -subj '/CN=localhost/O=Stackflow/C=US/L=Los Angeles/OU=StackflowTech'

For macs only to add trusted certification (required):

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ./certificate.pem

For windows you will have to find how to verify our ssl certs locally independently. I don't use Windows. Sorry windows guys and gals.

I am using a node.js server with express.js with only requires my key and certification with something like this:

app.js

const https = require('https');
const Express = require('express');
const fs = require('fs');
const app = new Express();
const server = https.createServer({
    key: fs.readFileSync('./key.pem'),
    cert: fs.readFileSync('./certificate.pem'),
}, app);
server.listen(3000);

I may be doing this for other backend frames in the future, so I can update example this for others in the future. But this was my fix in Node.js for that issue. Clear browser cache and run your app on https://

Here's an example of running https://localhost on a Node.js server for Mac users:

https://github.com/laynefaler/Stack-Overflow-running-HTTPS-localhost

Happy Coding!

@phil_lgr 2017-11-02 00:28:28

None of the answers above helped me on Windows 10 when testing locally on

https://localhost:<port>.

However I found this page, indicating another flag to pass:

https://www.chromium.org/blink/serviceworker/service-worker-faq

If you want to test on https://localhost with a self-signed certificate, do:

$ ./chrome --allow-insecure-localhost https://localhost

That did not get rid of the red warning, but it did enable me to use https-only feature like service workers and web push notifications.

@Ryan 2018-03-31 22:39:22

This did not work for me in Chrome 65 on Windows 10. So I'm still struggling with stackoverflow.com/q/48969083/470749

@LunaCodeGirl 2014-01-14 04:53:52

If you're on a mac and not seeing the export tab or how to get the certificate this worked for me:

  1. Click the lock before the https://
  2. Go to the "Connection" tab
  3. Click "Certificate Information"

    Now you should see this: Different information of course and yours should be marked as trusted yet (otherwise      you probably wouldn't be here)

  4. Drag that little certificate icon do your desktop (or anywhere).

  5. Double click the .cer file that was downloaded, this should import it into your keychain and open Keychain Access to your list of certificates.

    In some cases, this is enough and you can now refresh the page.

    Otherwise:

  6. Double click the newly added certificate.
  7. Under the trust drop down change the "When using this certificate" option to "Always Trust"

Now reload the page in question and it should be problem solved! Hope this helps.


Edit from Wolph

To make this a little easier you can use the following script (source):

  1. Save the following script as whitelist_ssl_certificate.ssh:

    #!/usr/bin/env bash -e
    
    SERVERNAME=$(echo "$1" | sed -E -e 's/https?:\/\///' -e 's/\/.*//')
    echo "$SERVERNAME"
    
    if [[ "$SERVERNAME" =~ .*\..* ]]; then
        echo "Adding certificate for $SERVERNAME"
        echo -n | openssl s_client -connect $SERVERNAME:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | tee /tmp/$SERVERNAME.cert
        sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" /tmp/$SERVERNAME.cert
    else
        echo "Usage: $0 www.site.name"
        echo "http:// and such will be stripped automatically"
    fi
    
  2. Make the script executable (from the shell):

    chmod +x whitelist_ssl_certificate.ssh
    
  3. Run the script for the domain you want (simply copy/pasting the full url works):

    ./whitelist_ssl_certificate.ssh https://your_website/whatever
    

@Kevin Leary 2014-06-23 17:59:44

This approach worked for me on OS X Mavericks, there was no Export option available as described in the top answer above.

@nalply 2014-08-25 10:17:19

Works great. The lock before https is still crossed out, but it's okay because there's no annoying popup anymore.

@y3sh 2015-09-23 21:44:38

Does not work for hitting a localhost https server

@kellen 2013-02-25 21:14:06

This worked for me:

  1. Using Chrome, hit a page on your server via HTTPS and continue past the red warning page (assuming you haven't done this already).
  2. Open up Chrome Settings > Show advanced settings > HTTPS/SSL > Manage Certificates.
  3. Click the Authorities tab and scroll down to find your certificate under the Organization Name that you gave to the certificate.
  4. Select it, click Edit (NOTE: in recent versions of Chrome, the button is now "Advanced" instead of "Edit"), check all the boxes and click OK. You may have to restart Chrome.

You should get the nice green lock on your pages now.

EDIT: I tried this again on a new machine and the certificate did not appear on the Manage Certificates window just by continuing from the red untrusted certificate page. I had to do the following:

  1. On the page with the untrusted certificate (https:// is crossed out in red), click the lock > Certificate Information. NOTE: on newer versions of chrome, you have to open Developer Tools > Security, and select View certificate.
  2. Click the Details tab > Export. Choose PKCS #7, single certificate as the file format.
  3. Then follow my original instructions to get to the Manage Certificates page. Click the Authorities tab > Import and choose the file to which you exported the certificate, and make sure to choose PKCS #7, single certificate as the file type.
  4. If prompted certification store, choose Trusted Root Certificate Authorities
  5. Check all boxes and click OK. Restart Chrome.

@LK Yeung 2013-05-04 14:31:58

It works for me, but I don't know why it takes a long time to load my page which using https

@matt 2013-07-09 18:16:42

I tried this on a Linux machine, but it said the import failed because xxx.xxx.com: Not a Certification Authority.

@kellen 2013-07-09 20:18:38

@matt: Yeah, I've had that happen with some certificates. Try importing on a tab other than Authorities? Otherwise, I'm not sure what the workaround is.

@cavalcade 2013-08-22 00:52:06

Thanks @kellen .. however, Using Chrome Version 29.0.1547.57 beta, there does not appear to be an "Export" option anywhere on the Certificate Information. That said, there is a "Details" section but it's not in the form of a Tab. It appears as a collapsible/expandable block. i.imgur.com/dDmNEIh.png

@ari gold 2013-09-04 23:38:16

@MattTagg - you need to go to settings then advanced settings and look for HTTPS/SSL

@Frank Farmer 2014-03-06 19:24:04

The manage certs dialog appears to be accessible via the url chrome://settings/certificates

@Mike 2014-04-21 22:53:29

This worked perfectly for me on Linux using localhost as the CA. It's too bad Chrome is so far behind Firefox in this regard. FF makes it super simple to add trusted certificates with a few clicks of the mouse.

@kolin 2014-07-22 07:36:11

In Chrome 37, there isn't a useful, descriptive Export button anymore, This seems to have been replace with the wonderful Copy to file button. Why 'export' was not kept, the mind only boggles

@Jake Wilson 2015-01-15 17:11:22

On OSX I don't see an "Export" button on the Certificate details popup.

@d-b 2015-01-19 17:37:28

@Jakobud, just drag the certificate symbol to the desktop or something and it is exported. However, the rest of answer does not work on OS X (Yosemite) as far as I can tell (Chrome 39).

@Jake Wilson 2015-01-19 21:00:22

Thanks I did figure that out. Once you drag it to the desktop, you can import it into the OSX Keychain. Thanks

@Rudi Strydom 2015-05-27 08:06:43

The "EDIT" solution works like a charm. I now have a nice green lock on my local!

@B T 2015-07-28 00:57:43

This doesn't seem to be working for me on chrome v44.0.2403.107 m on windows 8.1. After successfully exporting the cert to a PKCS file, I tried to import it into the "Personal" tab, but it never shows up. I then tried to import it into the "trusted publishers" and it did show up. But even after a restart, https still gives me a warning on port 8090, and wss fails outright.

@B T 2015-07-28 02:47:02

Ok I got it to work after I added it to the "Trusted Root Certificate Authorities" tab and restarted chrome. Not sure why chrome is being such a pain about this. Thanks!

@Vincil Bishop 2015-08-13 16:04:22

This worked for me on mac: robpeck.com/2010/10/…

@rimsky 2015-08-19 19:39:58

On chrome v42 and widows server 2012, the above instructions worked for me but only if I clicked on the checkbox "Include all certificates in the certification path if possible" when doing the export. Once I did that, I got another dialog (besides "import successful") confirming that I really wanted to install it.

@Vasco 2015-09-16 08:33:35

For a pkcs#7 type certificate, one should choose as extension .p7b

@Ultimater 2015-10-20 03:22:25

The most important step here, during the import, is making sure the certificate goes to the right store. If you store it in personal, chrome won't give the certificate authority. But if you put it in Trusted Root Certificate Authorities store, then it works. Just remember you need to restart chrome to see the certificate applied.

@Jonathan Cross 2016-12-06 21:18:27

On Linux + latest Chrome, these instructions are not working. I get a message "Certification Authority Import Error The file contained one certificate, which was not imported: localhost: Not a Certification Authority." when trying to import. I tried many cert types, extensions, restarted Chrome, etc.

@neochief 2017-01-07 17:27:19

For a last step, make sure you have terminated background chrome app as well in order for the certificate to be properly set.

@MasterJoe2 2017-01-27 01:02:16

I am trying to import fiddler tool's root certificate in chrome 55 on Windows 7 64 bit. This does NOT work. The cert does not appear in any of the cert stores. Firefox had no issues in ingesting this cert though.

@void.pointer 2017-02-17 00:12:46

As of Chrome 56, to access SSL certificate settings in Windows you have to use Developer Tools (CTRL+SHIFT+i), go to "Security" tab and click "View Certificate" button.

@Christopher Milne 2017-03-04 18:58:36

I gave up trying to export the certificate from Chrome. Using Firefox to export the certificate worked however. Then I was able to add the certificate to my keychain using the steps outlined above

@Ramratan Gupta 2017-04-11 10:30:13

This steps are invalid in chrome version Version 57.0.2987.110 (64-bit) on Ubuntu.

@Ramratan Gupta 2017-04-11 10:33:08

Option to view SSL certificate details removed productforums.google.com/forum/#!topic/chrome/…

@Stephan Vierkant 2017-04-20 16:20:30

@matt Have you solved the 'Not a Certification Authority' problem?

@Maciej Krawczyk 2017-05-27 07:10:31

@matt I had same problem on Linux. It was about openssl.cnf. First of all, Chrome accepted it by default, but when I used v3_req to pass alternative names (which are required as of C58), I got the same problem. Open /etc/ssl/openssl.cnf, find [ v3_req ] . Then line by line, you should have: basicConstraints = CA:TRUE \n subjectAltName = DNS:example.com, DNS:host1.example.com, DNS:*.host2.example.com, IP:10.1.2.3 For more about v3_req find the answer below (update for Chrome 58)

@thdoan 2017-09-28 18:46:29

The quickest way to get to Manage Certificates is to search for "ssl" in Settings.

@vee 2017-11-13 09:04:24

This does not working in Chrome 62.0.3202.89. Installed certificate, restarted, and cal to localdomain.tld still show the error.

@Luke Williams 2018-03-20 18:05:26

On a Mac, I needed to take an additional step: double-click the new cert in Keychain Access, and change to "Always Trust." Adding it to Keychain Access did not make it a trusted cert by default.

@Hannes Schneidermayer 2018-04-06 12:47:32

@Ultimater it worked thank you!!! all: try his suggestion!!!

@Jason S 2018-05-16 23:09:39

"Check all the boxes" -- why? which ones matter?

@lionels 2018-06-11 21:52:19

Hi there, a full tutorial is available here: stackoverflow.com/questions/50788043/…

@Suhail Gupta 2019-01-08 12:11:11

Works great!! I had to create a virtual domain that redirects to localhost for this!

@schlm3 2017-08-16 14:21:54

Here is a solution using only Java 8 keytool.exe instead of openssl:

@echo off
set PWD=changeit
set DNSNAME=%COMPUTERNAME%

echo create ca key
keytool -genkeypair -alias ca -keystore test.jks -keyalg RSA -validity 3650 -ext bc:critical=ca:true -dname "CN=CA" -storepass:env PWD -keypass:env PWD
echo generate cert request for ca signing
keytool -certreq -keystore test.jks -storepass:env PWD -alias ca -file ca.csr -ext bc:critical=ca:true
echo generate signed cert
keytool -gencert -keystore test.jks -storepass:env PWD -alias ca -infile ca.csr -outfile ca.cer -validity 3650 -ext bc:critical=ca:true
echo CA created. Import ca.cer in windows and firefox' certificate store as "Trusted CA".
pause

echo create server cert key for %DNSNAME%
keytool -genkeypair -alias leaf -keystore test.jks -keyalg RSA -validity 3650 -ext bc=ca:false -ext san=dns:%DNSNAME%,dns:localhost,ip:127.0.0.1 -dname "CN=Leaf" -storepass:env PWD -keypass:env PWD
echo generate cert request
keytool -certreq -keystore test.jks -storepass:env PWD -alias leaf -file leaf.csr -ext bc=ca:false -ext san=dns:%DNSNAME%,dns:localhost,ip:127.0.0.1
echo generate signed cert
keytool -gencert -keystore test.jks -storepass:env PWD -alias ca -infile leaf.csr -outfile leaf.cer -validity 3650 -ext bc=ca:false -ext san=dns:%DNSNAME%,dns:localhost,ip:127.0.0.1

rem see content
rem keytool -printcert -file leaf.cer -storepass:env PWD 

echo install in orig keystore
keytool -importcert -keystore test.jks -storepass:env PWD -file leaf.cer -alias leaf

echo content of test.jks:
keytool -list -v -storepass:env PWD -keystore test.jks
pause

You could also use pipes instead of files, but with the files, you can check the intermediate results if something goes wrong. SSL tested with IE11, Edge, FF54, Chrome60 on windows and Chrome60 on Android.

Please change the default password before using the script.

@Adriano Rosa 2017-06-17 17:45:58

As of Chrome 58+ I started getting certificate error on macOS due missing SAN. Here is how to get the green lock on address bar again.

  1. Generate a new certificate with the following command:

    openssl req \
      -newkey rsa:2048 \
      -x509 \
      -nodes \
      -keyout server.key \
      -new \
      -out server.crt \
      -subj /CN=*.domain.dev \
      -reqexts SAN \
      -extensions SAN \
      -config <(cat /System/Library/OpenSSL/openssl.cnf \
          <(printf '[SAN]\nsubjectAltName=DNS:*.domain.dev')) \
      -sha256 \
      -days 720
    
  2. Import the server.crt into your KeyChain, then double click in the certificate, expand the Trust, and select Always Trust

Refresh the page https://domain.dev in Google Chrome, so the green lock is back.

@François Romain 2017-08-03 15:36:24

This works for subdomains api.domain.dev but I still have a warning page on domain.dev: This server could not prove that it is domain.dev; its security certificate is from *.domain.dev. This may be caused by a misconfiguration or an attacker intercepting your connection. Any idea?

@zhi.yang 2017-06-27 14:25:40

2017-06-27 newest method:

openssl req \
    -newkey rsa:2048 \
    -x509 \
    -nodes \
    -keyout yoursite.key \
    -new \
    -out yoursite.crt \
    -subj /CN=yoursite.dev \
    -reqexts SAN \
    -extensions SAN \
    -config <(cat /System/Library/OpenSSL/openssl.cnf \
        <(printf '[SAN]\nsubjectAltName=DNS:yoursite.dev')) \
    -sha256 \
    -days 3650

then, add yoursite.crt and yoursite.key to your nginx conf.

from: https://github.com/webpack/webpack-dev-server/issues/854

@Michael 2017-06-27 15:47:09

How is this different from Adriano's answer from 10 days ago?

@Avishai 2017-06-27 16:28:29

That worked for me!

@zhi.yang 2017-06-28 14:45:32

@Michael it's same. i'm missed that answer because of before wrong code block.

@andreikashin 2017-09-15 12:49:04

This is the best answer!

@Muhammad Umer 2017-09-25 01:47:55

worked!!! thanks

@UUHHIVS 2017-06-06 19:30:03

WINDOWS JUN/2017 Windows Server 2012

I followed @Brad Parks answer. On Windows you should import rootCA.pem in Trusted Root Certificates Authorities store.

I did the following steps:

openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -newkey rsa:4096 -sha256 -days 1024 -out rootCA.pem
openssl req -new -newkey rsa:4096 -sha256 -nodes -keyout device.key -out device.csr
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 2000 -sha256 -extfile v3.ext

Where v3.ext is:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
IP.1 = 192.168.0.2
IP.2 = 127.0.0.1

Then, in my case I have a self hosted web app, so I need to bind certificate with IP address and port, certificate should be on MY store with private key information, so I exported to pfx format.

openssl pkcs12 -export -out device.pfx -inkey device.key -in device.crt

With mmc console (File/Add or Remove Snap-ins/Certificates/Add/Computert Account/LocalComputer/OK) I imported pfx file in Personal store.

Later I used this command to bind certificate (you could also use HttpConfig tool):

netsh http add sslcert ipport=0.0.0.0:12345 certhash=b02de34cfe609bf14efd5c2b9be72a6cb6d6fe54 appid={BAD76723-BF4D-497F-A8FE-F0E28D3052F4}

certhash=Certificate Thumprint

appid=GUID (your choice)

First I tried to import the certificate "device.crt" on Trusted Root Certificates Authorities in different ways but I'm still getting same error:

enter image description here

But I realized that I should import certificate of root authority not certificate for domain. So I used mmc console (File/Add or Remove Snap-ins/Certificates/Add/Computert Account/LocalComputer/OK) I imported rootCA.pem in Trusted Root Certificates Authorities store.

enter image description here

Restart Chrome and et voilà it works.

With localhost:

enter image description here

Or with IP address:

enter image description here

The only thing I could not achieve is that, it has obsolete cipher (red square on picture). Help is appreciated on this point.

With makecert it is not possible add SAN information. With New-SelfSignedCertificate (Powershell) you could add SAN information, it also works.

@Jose A 2017-10-10 01:27:36

Important: Run OpenSSL as administrator.

@Ivan Ferrer Villa 2017-11-21 17:38:00

it works! Thanks for explaining all the process so carefully! A full day I've lost with this issue. Gracias compañero!

@Rohit sharma 2018-05-22 06:55:16

Thanks a lot for very clear explanation.

@ShadeBlack 2019-01-13 18:02:52

This is the best answer and still works for Chrome[71.0.3578.98] as of Jan-2019

@Konsortium ICT Pantai Timur 2017-01-31 10:24:53

What am I supposed to do to get Chrome to accept the certificate and stop complaining about it?

You should create a PKI with;

1) self-signed Root CA.
2) sub / intermediate certificate [signed by Root CA].
3) normal / end-entity certificate [signed either by Root CA or sub-CA] (commonName or subjectAltName (SAN) as localhost) (also include https://localhost/ as the URI in SAN).
4) Import / Install that Root CA in your Windows OS (because you mentioned IE. Google Chrome is using the same resources while looking for certificates chain - https://www.chromium.org/Home/chromium-security/root-ca-policy ) as 'Trusted Root Certification Authorities'.
5) Install that end-entity certificate as your web server certificate, and it stops complaining that error message.

Hope this helps.

@DejerNet 2016-04-12 20:30:54

As someone has noted, you need to restart ALL of Chrome, not just the browser windows. The fastest way to do this is to open a tab to...

chrome://restart

@Jose Cifuentes 2019-01-08 17:53:00

Hey! Just wanted to point out that this is what fixed it for me. I was adding a custom CA to the trust store, it had always worked for me that way. I tried Firefox and worked flawlessly but not chrome. At the end it was because it seems you need to fully restart chrome as you mention. It might be that Chrome keeps using the same trust store as long as those background processes are still running.

@Hugo Wood 2016-08-30 08:19:25

I was experiencing the same issue: I had installed the certificate in to Windows' Trusted Root Authorities store, and Chrome still refused the certificate, with the error ERR_CERT_COMMON_NAME_INVALID. Note that when the certificate is not properly installed in the store, the error is ERR_CERT_AUTHORITY_INVALID.

As hinted by the name of the error, this comment, and this question, the problem was lying in the declared domain name in the certificate. When prompted for the "Common Name" while generating the certificate, I had to enter the domain name I was using to access the site (localhost in my case). I restarted Chrome using chrome://restart and it was finally happy with this new certificate.

@Binyamin 2016-08-10 19:15:14

For development purposes on Windows you can
add to Chrome shortcut flag --ignore-certificate-errors

It expected to ignore certificate errors and allow you to access invalid certificate websites.
Better detailed instructions in https://support.opendns.com/entries/66657664.

enter image description here

@Simon_Weaver 2017-06-14 22:21:18

This is very dangerous!

@Ilker Cat 2017-11-03 21:20:20

This means that you are going to ignore cert errors on each and every site. Bad idea...

@Binyamin 2017-11-04 17:08:24

@Simon_Weaver notice is mentioned "For development purposes"

@Binyamin 2017-11-04 17:08:30

@IlkerCat notice is mentioned "For development purposes"

@Ryan 2018-03-31 22:45:01

I've been stuck for so long with this problem (stackoverflow.com/q/48969083/470749) that I was willing to take the risk, but it didn't work on Chrome 65 on Windows 10.

@Binyamin 2018-04-01 05:35:24

@Ryan, you can workaround issue using localtunnel that will temporarily proxy your server (with SSL and *.localtunnel.me domain) while running localtunnel.

@Ryan 2018-04-01 16:35:01

@Binyamin That sounded really interesting, but I kept getting 504 Gateway Time-out Error like these people: github.com/localtunnel/localtunnel/issues/106 But it led me to laravel.com/docs/5.6/homestead#sharing-your-environment, which uses Ngrok and seems to work! It's a very temporary hack and isn't what I was hoping for, but it's certainly better than Chrome blocking my certificates. Thanks.

@user2871617 2016-06-30 16:04:51

Fix for Chrome on Windows.

First, you need to export the certificate.

  • Locate the url in the browser. “https” segment of the url will be crossed out with the red line and there will be a lock symbol to the left.
  • Right click on the crossed-out "https" segment.
  • You will see an information window with various information
  • Click “details”.
  • Export the certificate, follow directions accept default settings.

To import

  • Go to Chrome Settings
  • Click on "advanced settings"
  • Under HTTPS/SSL click to "Manage Certificates"
  • Go to "Trusted Root Certificate Authorities"
  • Click to "Import"
  • There will be a pop up window that will ask you if you want to install this certificate. Click "yes".

@Quip11 2019-01-05 14:41:24

It says it can't find the private key.

Related Questions

Sponsored Content

12 Answered Questions

[SOLVED] How can I make git accept a self signed certificate?

15 Answered Questions

[SOLVED] How to create a self-signed certificate with OpenSSL

0 Answered Questions

1 Answered Questions

2 Answered Questions

3 Answered Questions

0 Answered Questions

Chrome doesn't trust my self-signed SSL certicate

1 Answered Questions

[SOLVED] Firefox not trusting self-signed certificate

1 Answered Questions

[SOLVED] .NET doesn't trust my self-signed certificate, but IE does?

2 Answered Questions

[SOLVED] Getting SmtpClient to work with a self signed SSL certificate

Sponsored Content