Make Chrome Accept a Self-Signed Certificate (on OSX)

If your organization is like most, they will have sites that use a self-signed certificate.

Ideally they would use actual signed certificates, but sometimes due to cost or expedience, that is not done.

From Wikipedia:

In cryptography and computer security, a self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies. This term has nothing to do with the identity of the person or organization that actually performed the signing procedure. In technical terms a self-signed certificate is one signed with its own private key.

Why not just accept it?

The reason Chrome doesn’t trust this by default is that it has no way to verify that the certificate is being sent by the server that generated the key, and therefore can’t ensure that the server actually is the one that the certificate claims it is.

The scary error

So when you go to the site, you get the scary looking screen that warns you that your connection might not actually be secure (because self-signed certificates are more vulnerable to a man-in-the-middle attack).

Getting past the scary warning

To get past this error, you can click the little “Advanced” link, to again be warned about the error, and then click the scary link that allows you to proceed to the unsafe site:

Fixing the broken cert

Along with the warning (and the whole time you are on this unsafe site), you’ll also see the crossed out lock icon, and the https will be red and struck through

Put it in the keychain

To correct this, you need to import the certificate into your keychain (Chrome uses the standard Mac security). The first step is to click on the lock icon with the red ‘x’ on it:

Click on the “Certificate Information” link, and you’ll see something like this:

Save the self-signed certificate

Now comes the less than intuitive part: Grab the certificate image and drag it to your desktop (or if you have keychain open you can just drag it there):

Open to import

If you placed the certificate on your desktop, double click it to start the import process, and be sure to set it as “System” on the keychain drop down:

Are you sure ?

You’ll then get prompted for your password, and keychain should open asking you if you want to trust the certificate:

To complete the import just click the “Always Trust” button. If they’ve created the certificate for SSL, that would be all you need to do. However most of the time it’s just a simple X.509 certificate, which means you have to tell your machine to trust it for SSL.

Force the cert to always be trusted

From keychain, reopen the certificate, Expand the Trust section, and change the SSL setting to “Always Trust”

Browser is happy

Close the dialog to save the changes (you’ll be prompted for your password again), and that’s it. If you refresh the browser window you should see the happy green lock:

If you don’t see the green lock, just restart Chrome (which you can do by typing “chrome://restart” into the address bar). Same would go for other browsers.

Conclusion

I showed you how to update your system to trust a self-signed certificate by importing it into your keychain and telling the operating system to always trust it. Not a super complicated process although it does have a number of steps.