0

Is it possible to add server certificate exceptions for some websites (to skip warning page about certificates that are expired, self-signed or with missing or mismatched CN/SANs) in Google Chrome / MS Edge for all users (in any scriptable way, but preferably using policies/registry)?

In Mozilla Firefox I am using Autoconfig which is good enough without policy to use. Is there an alternative to Autoconfig in Chrome/Edge?

jacob_w
  • 3
  • 3

1 Answers1

1

You can add the self-signed certificates as Trusted Roots on the target machines you want to avoid certificate errors on. This can be done using GPO in Security Settings\Public Key Policies\Trusted Root Certification Authorities.

In the default configuration, IE, old and new Edge, and Chrome (and other Chromium browsers) will all respect the system certificate trusts.

Putting on my security hat: trusting individual self-signed certificates isn't a super great idea because the private key of the certificate is the only thing needed to begin spoofing traffic to the website. You should consider deploying internal certificate authorities, whose roots/intermediates you then trust through AD, and deploying certificates from that. Certificate enrollment is very scriptable!

Conure
  • 71
  • 2
  • I would add that if private key is leaked kind of cert seems less important. Anyway, I deploy root certificates to endpoints (if not GPO then certutil/certmgr) - it works great when certs have attributes required by the browser and are signed by root/intermediate like you wrote. Unfortunately certs in question: 1) are out of my control (adding exception is the only way to get rid of the warning); 2) are not only self-signed. If you add lack of SAN to the mix - trusting the cert doesn't matter to Chrome (IE is little more trusting). – jacob_w Nov 22 '21 at 18:23
  • True, it's just that a central CA it's easier to manage the certificate revocation and certificate lifecycle, but correct it's not massively less secure. The cert not having a SAN, however, now that's a big deal. I don't know of a way to get around that with Chrome. Sorry. :-( – Conure Nov 22 '21 at 19:57