How to add server certificate exception to Chrome/Edge?

jacob_w

3/21/23, 10:27 PM

Is it possible to add server certificate exceptions for some websites (to skip warning page about certificates that are expired, self-signed or with missing or mismatched CN/SANs) in Google Chrome / MS Edge for all users (in any scriptable way, but preferably using policies/registry)?

In Mozilla Firefox I am using Autoconfig which is good enough without policy to use. Is there an alternative to Autoconfig in Chrome/Edge?

520

0 + 0

windows

google-chrome

group-policy

ssl-certificate-errors

microsoft-edge

Score:1

Server

Conure

3/21/23, 11:26 PM

You can add the self-signed certificates as Trusted Roots on the target machines you want to avoid certificate errors on. This can be done using GPO in Security Settings\Public Key Policies\Trusted Root Certification Authorities.

In the default configuration, IE, old and new Edge, and Chrome (and other Chromium browsers) will all respect the system certificate trusts.

Putting on my security hat: trusting individual self-signed certificates isn't a super great idea because the private key of the certificate is the only thing needed to begin spoofing traffic to the website. You should consider deploying internal certificate authorities, whose roots/intermediates you then trust through AD, and deploying certificates from that. Certificate enrollment is very scriptable!

0 + 0

jacob_w

3/22/23, 6:23 PM

I would add that if private key is leaked kind of cert seems less important. Anyway, I deploy root certificates to endpoints (if not GPO then certutil/certmgr) - it works great when certs have attributes required by the browser and are signed by root/intermediate like you wrote. Unfortunately certs in question: 1) are out of my control (adding exception is the only way to get rid of the warning); 2) are not only self-signed. If you add lack of SAN to the mix - trusting the cert doesn't matter to Chrome (IE is little more trusting).

Conure

3/22/23, 7:57 PM

True, it's just that a central CA it's easier to manage the certificate revocation and certificate lifecycle, but correct it's not massively less secure. The cert not having a SAN, however, now that's a big deal. I don't know of a way to get around that with Chrome. Sorry. :-(

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to add server certificate exception to Chrome/Edge?

TH: จะเพิ่มข้อยกเว้นใบรับรองเซิร์ฟเวอร์ให้กับ Chrome/Edge ได้อย่างไร

RO: Cum se adaugă o excepție de certificat de server la Chrome/Edge?

RU: Как добавить исключение сертификата сервера в Chrome/Edge?

VI: Làm cách nào để thêm ngoại lệ chứng chỉ máy chủ vào Chrome/Edge?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.