233

I want to know if it's possible to disable the warning you get in Chrome when you try to go to some HTTPS site that doesn't have a trusted certificate.

I have a few sites in my bookmarks that use HTTPS but none of them have trusted certificates, so each time I visit them I manually have to click "Proceed anyway" in the warning and it's getting kind of annoying.

Is there any way to disable the warning or somehow add these sites to some kind of safe list?

Tamara Wijsman
  • 57,083
  • 27
  • 185
  • 256
sippa
  • 2,589
  • 3
  • 18
  • 13

9 Answers9

166

You can tell Chrome to ignore all SSL errors by passing the following at the command line:

--ignore-certificate-errors

I start Chrome from bash using this:

/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --ignore-certificate-errors &> /dev/null &

and it works great. Note that this should only be used for testing development websites, and should not be used by a typical end user.

Why? Because Chrome won't say anything about bad certs on "real" sites too! So only use this if you are a developer!

If you just want this for local SSL certificates, then you may be able to get away with just using this option in Chrome, allow-insecure-localhost:

chrome://flags/#allow-insecure-localhost

On a related note, if you want to create fully trusted self signed SSL certs for Chrome/Safari, you can find out how to do that here

Community
  • 1
Brad Parks
  • 2,918
  • 3
  • 25
  • 35
  • 4
    Works on Windows too! – Chaoix Apr 05 '16 at 18:06
  • 11
    This should be the accepted answer - this is such a MUST KNOW answer, it's not even funny. Thanks Brad ! – Danail Gabenski Jun 21 '16 at 08:08
  • 3
    This was the solution I was looking for. Works on Windows. Must work on other platforms too. Just run the executable with the mentioned flag. – Srinivas Gollapudi Aug 18 '16 at 11:56
  • 1
    +1 This should be the accepted answer. – Trevor Sullivan Nov 07 '16 at 20:37
  • 1
    Did this switch stop working for any of you? Chrome was giving me "unsupported command line switch" message for a while, now it seems that they pulled the plug and this doesn't work anymore or maybe Chrome warns you X amount of times then completely blocks it? – ScottN Dec 05 '16 at 16:40
  • @ScottN - I just tried it and it still works for me. I did test it using Canary though, but my Canary is fully up to date. I tested it using [badssl.com](https://badssl.com/), which is managed by the chromium team for testing bad SSL certs, and is [available on Github](https://github.com/chromium/badssl.com) – Brad Parks Dec 05 '16 at 18:02
  • 3
    @BradParks looks like I had some extra chrome.exe running that I had to force quit and then it worked for me again. I still get the "You are using an unsupported command-line flag: --ignore-certificate-errors. Stability and security will suffer." I really don't like to see things suffer, especially security. Is this going away at some point? – ScottN Dec 05 '16 at 19:54
  • 3
    Cool! I think that warning will probably stay there forever, to ensure that people are aware that chrome is ignoring SSL certs. Otherwise someone could run a fake site with an invalid SSL cert, and change your Chrome launch config to ignore ssl certs, and Chrome would access it this way with no warnings whatsoever! – Brad Parks Dec 05 '16 at 20:19
  • 2
    @BradParks excellent point! – ScottN Dec 05 '16 at 22:06
  • I am not sure this is working on mac OS, I still get the working screen even if I run chrome using this command, I think it is related to the current session and you will get the that warning screen every chrome session, in other words you will have to allow it manually everytime you going to run chrome. – talsibony Mar 20 '17 at 09:53
  • @talsibony - for this to work, you have to completely shut down chrome, then start it again using the command line arguments listed above... I think if you do that you'll get it working as you'd expect. I just tried it on my mac and it worked for me! – Brad Parks Mar 20 '17 at 11:52
  • not workoing anymore since Chrome for Windows >58 ;( – TouDick Mar 22 '17 at 11:07
  • @TouDick - I just tried this in Chrome for Windows (v 57, up to date as of now), and it worked fine still. I tried it by going to https://expired.badssl.com and it didn't fail, but did fail when I started it without this command line option. My shortcut in Windows has this for "target", `"C:\Program Files\Google\Chrome\Application\chrome.exe" --ignore-certificate-errors`. I see you were using v58, though I don't see how to get that version, as I just updated Chrome, and it says "it's up to date". – Brad Parks Mar 22 '17 at 11:37
  • Not working on Chrome v60 - Mac. – Eng.Fouad Aug 15 '17 at 15:56
  • @Eng.Fouad - I just tried it on a Mac, Chrome Version 60.0.3112.101 (Official Build) (64-bit) and it worked for me. I tested it using [this site](https://test-sspev.verisign.com:2443/test-SSPEV-revoked-verisign.html) which has an invalid SSL cert and it skipped the warning, though it displayed the warning before I started chrome using that command line option. Make sure you have completely closed Chrome before trying to start it using that command line option, or it wont work. – Brad Parks Aug 15 '17 at 17:28
  • 1
    @BradParks You are right. I tried it one more time and it worked. Maybe I didn't close Chrome properly. – Eng.Fouad Aug 15 '17 at 18:18
  • Yeah it's easy to miss that... good to hear! – Brad Parks Aug 15 '17 at 18:59
  • 2
    @BradParks your tip to "allow invalid certificates for resources loaded from localhost" did the trick for! ( chrome://flags/#allow-insecure-localhost ) – Dirk Sep 10 '18 at 21:20
  • How do we do this on a phone now for mobile web app development? – Douglas Gaskell May 14 '21 at 03:46
  • I haven't seen a similar way to do exactly this on ios, but you could proxy your ios network settings using something like [Burp](https://portswigger.net/burp/documentation/desktop/mobile-testing), which is a dev tool for doing security penetration testing, or use [mitm proxy](https://mitmproxy.org/) as [detailed in this blog post](https://medium.com/testvagrant/intercept-ios-android-network-calls-using-mitmproxy-4d3c94831f62) – Brad Parks May 15 '21 at 12:59
43

When you use Chrome's Options > Manage Certificates > Import where are you placing the certificate? On the "Certificate Store" screen of the import, choose "Place all certificates in the following store" and browse for "Trusted Root Certification Authorities." Restart Chrome.

Kalle Richter
  • 2,212
  • 5
  • 40
  • 60
  • Thanks! It works now when I imported to Trusted Root Certification Authorities like you said. I do hope they make it easier/faster to add sites to a safelist though. – sippa Sep 16 '09 at 14:11
  • Google's "Manager Certificates" screen is a wrapper around Window's Certificate Manager (certmgr.msc). Both expose the same underlying concept: if you want to trust an untrusted certificate, you trust it by added it to the trusted store. – Ian Boyd Jun 02 '10 at 14:02
  • 4
    doesn't work in Chromium 11.0.696.71 (86024) on Ubuntu 11.04 :( – Radu Maris Jun 10 '11 at 13:58
  • These is now found by clicking "THree lines icon in upper right->Settings->Search box in upper right type "certi"->Manage Certificates... – AaronLS Oct 11 '12 at 21:45
  • 13
    Chrome asks me for a certificate's password: "Please enter the password that was used to encrypt this certificate file" – kachar Jun 03 '13 at 12:51
  • @kachar try selecting authorities or servers tab as in here: https://code.google.com/p/chromium/issues/detail?id=90563#c6 – sennett Aug 27 '14 at 13:20
  • 2
    First you'll need to export the SSL certificate (the untrusted one) from the site you want to add an exception for. You can do that by clicking the red padlock icon to the left of the URL. From here you get a drop down with a 'certificate information' link. Click that link, go to the 'details' tab and 'copy to file'. I used the default options, exported to my desktop and then followed as cornelius10 suggested. In settings -> advanced settings, there'll be an SSL section. Go there and import the certificate you just exported. Worked a treat for me. – Lukey Sep 25 '14 at 07:42
  • 3
    I have tried this and other permutations suggested here and nothing works. I import the certificate but the message "Your connection is not private" is still shown. Is this still a valid solution? – Klas Mellbourn Apr 22 '15 at 07:12
  • 10
    Six years later and Chrome has totally messed up self-signed certificates. I did just as you described, but it only changed the error message to NET::ERR_CERT_COMMON_NAME_INVALID – Alkanshel Aug 06 '15 at 00:09
  • 1
    @Amalgovinus: Can you please make a group who understand Chrome totally messed up self-signed certificates? And make a debate to let Chrome understand how much they screwed up about this ? – YumYumYum Apr 06 '16 at 12:31
  • 1
    They finally fixed the "stickiness" of this error a few months ago. It was pretty dumb that they changed the bypass phrase on that warning screen from "danger" to "badidea" though... essentially hiding the browser's functionality in easter eggs.. also pretty dumb – Alkanshel Apr 06 '16 at 16:43
  • @BradParks below should be the accepted answer. While this may have been what the user was looking for, it doesn't answer the question as asked, which is important for questions searched on this web site. This answers how do I trust a certificate – reads0520 Aug 28 '18 at 16:51
39

You can avoid the message for trusted sites by installing the certificate.

This can be done by clicking on the warning icon in the address bar, then click

"Certificate Information" -> Details Tab -> Copy to file

Save the certificate, then double click on the certificate file. On the certificate window that opens, click install certificate, then walk through the install.

The next time you go to the site it should work fine without errors.

chills42
  • 2,714
  • 21
  • 21
  • 1
    Hmm.. I've tried what you said on two sites but it doesn't seem to be working. Do you think I have to reboot after I installed the certificate? – sippa Aug 21 '09 at 16:13
  • 3
    I also tried go into Options in Chrome and then Manage Certificates and import them that way. It says imported successfully but it doesn't show up in the list. – sippa Aug 21 '09 at 16:35
  • In order for this to work, the certificate author must match the domain. Otherwise the Chrome does not consider imported certificate as safe. – Dejv Oct 12 '15 at 13:04
  • There is no certificate information any more in recent browsers. – user1050755 Apr 21 '17 at 08:30
  • Yeah, it's still available within the security tab in the development console though. – chills42 Apr 21 '17 at 16:06
  • This won't do for me on a day-to-day testing life as the server keeps being rebuilt every 6-hours and sometimes the infrastructure also is rebuilt so that's like nowadays with OpenStack, Docker, K8s, ... CI/CD.... – AlexD Dec 23 '20 at 21:36
22

For Chrome on OSX, here's a relatively easy way to add the self-signed certificate to the system's Keychain, which is used by Chrome: Google Chrome, Mac OS X and Self-Signed SSL Certificates. No more annoying red warning screen! (I do wish Chromium would simplify adding the exception though.)

davemyron
  • 326
  • 2
  • 8
  • Thank you. If you receive Error 100013 when adding it through Keychain Access, refer to this page: http://bit.ly/jBujt1 – Chris Serra Jun 20 '11 at 01:19
  • @ChrisSerra - I'm trying to follow your bitly link but get a 404; can you elaborate on what the instructions there were? – EmmyS Nov 01 '11 at 16:08
  • @EmmyS: I'm sorry -- I really do not remember. Was trying to find the page in Google Cache, but was not successful. I'll try to review the process again, and see if muscle memory helps me recall the solution. – Chris Serra Nov 02 '11 at 20:01
  • @ChrisSerra - no big deal; we did figure out how to do it. – EmmyS Nov 02 '11 at 20:24
  • Thanks for the link. It worked. It seems that the certificate's CN must still match the url's domain even after these steps. Also Step 5 on that site is not needed. It can be added to your login keychain and doesn't need to be in the system keychain. – mhost Nov 08 '12 at 08:08
  • I had to copy the certificate from Safari (12.0.3), since from Chrome (72.0.3626.121) didn't work. – Ricardo Mar 08 '19 at 02:02
15

Instructions for Linux (Chrome 12+):

Certificate Information -> Details -> Export

Save the certificate as a file of your choice.

Preferences -> Under the hood -> Manage certificates -> Authorities

Import the file and check all the boxes when it asks. You are done.

It is very important to import under the Authorities tab, and not other!

lfaraone
  • 498
  • 1
  • 6
  • 14
lzap
  • 972
  • 2
  • 11
  • 19
  • 5
    The file contained one certificate, which was not imported: xxx.xxxxx.com: Not a Certification Authority. – kachar Jun 03 '13 at 12:52
  • Well it looks like you dont have authority cert. Try different tab. The question is for authorities... – lzap Jun 03 '13 at 13:36
  • 1
    Yep, it worked on tab 'Other certificates' – kachar Jun 04 '13 at 20:37
  • If you have trouble finding the "Authorities" tab, just look for a header with that name under `chrome://settings/certificates`. (Sidenote: due to Material design, the tab doesn't look like a tab; instead it looks flat.) – Denilson Sá Maia Aug 03 '20 at 16:49
4

On OsX you should export your certificate from firefox and import on keychain under the login profile.

Fernando Meyer
  • 41
  • 3
  • For some problems, you might need an extra step. In the keychain, doublick the certificate. In certificate window, there is 'Trust' accordion near the top. Open it. Change the 'When using this certificate' to 'Always Trust' and save the change. – Maksym Mar 20 '20 at 15:32
2

If the Google paternalism becomes insufferable as in:

we don't want users to visit a site with a revoked certificate. If you think this bug report is about #2, I'll mark it WontFix. Would you like me to do that?

you can nullify the browser's TLS system completely by using a TLS proxy that signs all TLS connection opening with its own TLS root CA. Obviously, that has annoying consequences like the inability to view the real certificate of a website with the Chrome interface. Also, client TLS certificates are by design not compatible with that TLS proxying.

Many Google Chrome extensions allow you to select proxies based on domain, so you could only proxy those domains that are known to cause TLS issues in Chrome.

curiousguy
  • 405
  • 2
  • 8
  • Not trusting revoked certificates is a necessary part of public key cryptography. There needs to be a mechanism so that, for example, certs tied to compromised private keys are no longer trusted. – hayden.sikh Jan 06 '21 at 22:16
1

In order for me to get this to work, I had to copy to file using the "Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B)" option and check the "Include all certificates in the certification path if possible" box.

Then I imported using Cornelius' instructions and it worked.

caspian
  • 11
  • 1
1

If the site to which you go, your own server, make sure that you have installed the Self-Signed certificate or a certificate from a Trusted Authorities on your server. Some server software sets the default test certificate, which can not be added to the Trusted root Authorities certificate store.

Nikolai Vakulenko
  • 61
  • 4