RSS
 

Google Chrome, Mac OS X and Self-Signed SSL Certificates

05 Oct

I’ve been using Google Chrome as my primary browser for the last few months. Sorry, Firefox, but with all the stuff I need to work installed, you’re so slow as to be unusable. Up to and including having to force-quit at the end of the day. Chrome starts and stops quickly But that’s not the purpose of this entry. The purpose is how to live with self-signed SSL certificates and Google Chrome.

Let’s say you have a server with a self-signed HTTP SSL certificate. Every time you hit a page, you get a nasty error message. You ignore it once and it’s fine for that browsing session. But when you restart, it’s back. Unlike Firefox, there’s no easy way to say “yes, I know what I’m doing, ignore this.” This is an oversight I wish Chromium would correct, but until they do, we have to hack our way around it.

Caveat: these instructions are written for Mac OS X. PC instructions will be slightly different at PCs don’t have a keychain, and Google Chrome (unlike Firefox) uses the system keychain.

So here’s how to get Google Chrome to play nicely with your self-signed SSL certificate:

  1. On your web server, copy the crt file (in my case, server.crt) over to your Macintosh. I scp’d it to my Desktop for ease of work.

    These directions has been updated. Thanks to Josh below for pointing out a slightly easier way.

  2. In the address bar, click the little lock with the X. This will bring up a small information screen. Click the button that says “Certificate Information.”
  3. Click and drag the image to your desktop. It looks like a little certificate.
  4. Double-click it. This will bring up the Keychain Access utility. Enter your password to unlock it.
  5. Be sure you add the certificate to the System keychain, not the login keychain. Click “Always Trust,” even though this doesn’t seem to do anything.
  6. After it has been added, double-click it. You may have to authenticate again.
  7. Expand the “Trust” section.
  8. “When using this certificate,” set to “Always Trust”

That’s it! Close Keychain Access and restart Chrome, and your self-signed certificate should be recognized now by the browser.

This is one thing I hope Google/Chromium fixes soon as it should not be this difficult. Self-signed SSL certificates are used a lot in the business world, and there should be an easier way for someone who knows what they are doing to be able to ignore this error than copying certificates around and manually adding them to the system keychain.

 
24 Comments

Posted in Apache, Apple, Linux, Networking, Security

 
  • Josh R

    Simpler method: click through to the site, then click the skull and crossbones, click “Certificate Information”, then drag and drop the certificate image (the thing that looks like a certificate in clip-art) to your desktop. Then doubleclick the .cer file on the desktop, type your password, and click “Always Trust”. Done.

    Much easier, and you don’t have to do any fun file transfer craziness.

  • http://www.robpeck.com Rob Peck

    Yeah, that’s a big easier than having to scp it over. Clicking “Always Trust” didn’t work for me, though. I still had to open it back up in Keychain Access and manually change the trust setting to Always Trust.

    I still wish Google/Chromium would make this easier. Something that I could click that says, “I understand what I am doing, please don’t bother me about this certificate again.”

  • http://www.facebook.com/spstanley Shawn Stanley

    This was very helpful. Thanks!

  • Chris

    I received “Error: 100013″ when attempting to import to the System keychain (no fuss to the login keychain), and found this solution worked:

    https://www.tarnyinc.com/groups/trainingcenter/weblog/10d55/Solve_the_100013_Error_when_Attempting_to_Add_a_Certificate_to_a_System_Keychain.html

  • Ben

    Thanks! Steps 6-8 were what I was missing.

  • Josiah S.

    I am having difficulty finding this “little lock with an X.” Seeing as that is the first step, I can’t really seem to fix the problem. Also, I am not given an “Always Trust” option when dealing with my Keychain Access

  • http://www.robpeck.com Rob Peck

    The lock icon is displayed at the left end of the URL bar, where the globe icon is displayed on a non-SSL website. Note that you need to navigate to your self-signed SSL website first.

  • Barclay

    Despite carefully following these instructions I am not getting a successful outcome. A couple notes. First, I don’t see a skull & crossbones (from Josh R’s comment). Also, I click on the lock with X and I get a drop down with three sections. The first has a red lock with X and says “The identity of this website has not been verified.
    • Server’s certificate does not match the URL.
    • Server’s certificate is not trusted.” (This happens even after I have added the cert following your instructions.) There’s a button that says “Certificate information” and when I click it I see another drop down containing the certificate image (that’s what I am able to drag & drop on my desktop). Under that it says “This certificate is marked as trusted for [xyz.com, my url]“. I’m using Snow Leopard 10.6.8 and Chrome 17.0.963.66. Any ideas?

  • FJ

    Thank you so much for posting. Helped SO MUCH. Love me some Chrome but this was driving me nuts. Thank you thank you!

  • Guillaume

    Thank you so much ! Very helpful !

  • Rmenor

    I can’t drag the image. What do I do then?

  • http://www.robpeck.com Rob Peck

    Not sure what to tell you, Rmenor. These instructions are 2 years old, but it still works fine for me on Chrome 18.0.1025.151.

  • Erik Nolte

    The following worked for me with Mac OS X 10.7.3, Keychain Access 5.0 (55108), and Chrome 18.0.1025.163.

    1. Browse to the insecure site
    2. Click on the padlock icon left of the red, crossed out https in the URL bar (a popup window will appear with another red padlock and, after a 1 to 2 second delay, a “Certificate Information” button will appear in the section with the second red padlock)
    3. Click the “Certificate Information” button (A sheet attached to the bottom of the url/bookmark bar will appear. It will have a “certificate” icon that contains a shiny gold, multipoint star. It’s totally non-obvious that this is a draggable icon)
    4. Drag the certificate icon to the desktop.
    5. Double click on the desktop file (this will start Keychain Access. but not import the certificate)
    6. Select the “System” keychain in the list on the upper left.
    7. Click the lock at the top of the Keychain Access window to unlock the system keychain. Enter your password.
    8. Select “Certificates” in the Category list on the lower left.
    9. Drag your file from the desktop to the list in the middle bottom of the screen (you probably have a few Apple certificates in the list)

  • http://www.payjunction.com C Coakley

    After following these instructions, I still had an error with my cert.

    The identity of this website has not been verified.
    • Server’s certificate is signed using a weak signature algorithm.

    Clicking on the certificate information actually said “marked as trusted.” I found that a bit odd/inconsistent.

    This seems to be specific to Chrome 18, but I found a solution:

    http://my.galagzee.com/2012/04/07/chrome-weak-signature-algorithm/

  • Ben Be

    Very helpful thanks! I have a small home server that gave me this error message when I tried to connect – despite my certificate not even being self signed. Now it doesn’t and I’m happy.

  • aDAMN

    it does not work for me :( it keeps telling: “The identity of this website has not been verified.
    • Server’s certificate does not match the URL.” i have followed the guide accordingly!

    is this maybe because i use dyndns ?!? the url in the cert is synology.com and my nas hast blanas.dyndns.org

    what am i doing wrong :( ?

  • aDAMN

    that what google also says:

    “You attempted to reach bladns.dyndns.org, but instead you actually reached a server identifying itself as synology.com. ”

    :( (( pls help, it’s kinda enjoying!

  • http://www.robpeck.com Rob Peck

    It sounds like you’re actually having a different problem. It’s not a self-signed certificate issue. The certificate for whatever you’re trying to access (I’m assuming some kind of NAS) isn’t the same as the URL. My guess is because it was signed by the manufacturer and is actually a valid cert for their domain, but not for your device.

    These instructions are primarily aimed at people who have a self signed cert from a domain they’re trying to access.

  • Jordan

    Dude, that’s a real time-saver for me, bugging me for years, thanks!

  • Martin

    Step 5 is not necessary. It works for me in my login keychain.

  • Martin

    But thanks a bunch for this. This has bugged me for years.

  • http://www.facebook.com/anotherverge Robert Verge

    Thanks.

  • David

    Thank you Rob for this very helpful blogpost

  • mslman71

    Thank you sir, this was extremely helpful. Wasted half the morning trying to sort out this issue.