How do I deal with NET:ERR_CERT_AUTHORITY_INVALID in Chrome?

92

33

My work place intercepts SSL connections, looks at their contents, and then passes the data to and from my machine and remote hosts - a kind of man-in-the-middle attack. This is not uncommon in corporate or enterprise environments.

Now I have a virtual machine running on my computer. The virtual machine does not have the certificates the actual machine has which enable the MITM to work transparently. As a result, I get this message:

NET::ERR_CERT_AUTHORITY_INVALID message in Chrome

What can I do to resolve this?

Richard

Posted 2016-06-02T19:36:42.173

Reputation: 2 565

1Install the fake certificates on the virtual machine. – Ramhound – 2016-06-02T21:04:35.427

@Ƭᴇcʜιᴇ007: Corporate ID didn't want to touch the issue. Don't let the word "corporate" throw you, this is a perfectly legitimate question about certificate authorities. – Richard – 2016-06-02T21:33:40.927

@Ramhound: The difficult I had was in finding said certificates. – Richard – 2016-06-02T21:34:05.253

Answers

66

First thing's first:

DO NOT DO THE FOLLOWING IF YOU DO NOT TRUST THE CERTIFICATE ISSUER

Doing this allows a man-in-the-middle to see all of your communications. This fix should only be employed if you are in a situation which warrants it, not if you're sitting at a coffee shop and having problems connecting to things.

That said...

The first step is to acquire the certificate of the MITM.

To do so, click the little HTTPS lock and hit details:

Page details

Click "View Certificate" in the dialog that comes up.

Certificate details pane

Hit "Details" in the Certificate viewer and select the top certificate, which should be from an address other than the one you were trying to get to (see picture):

Certificate viewer

Then hit "Export" and save the certificate file.

Now, go to Settings → Advanced → Manage Certificates... → Authorities

Settings menu

And hit "Import". Select the certificate file you saved previously and hit all of the check boxes that appear, authorizing it to certify everything.

Manage certificates menu

Richard

Posted 2016-06-02T19:36:42.173

Reputation: 2 565

// , My dialog for Certificate Viewer does not include two tabs, nor can I export the certificate file. On what version of Chrome or Chromium did you test this? – Nathan Basanese – 2016-10-04T09:29:24.760

@NathanBasanese: I'm sorry; I'm not sure what version it was. I've since changed locations. – Richard – 2016-10-04T14:24:13.810

2I had to restart chrome before this was working correctly on windows (kill chrome task). Great guide – Sam – 2017-03-07T22:30:20.980

7"Details" link is not displayed in Chrome OSX 57.0.2987.110 (64-bit) – DanH – 2017-03-21T12:56:14.393

3Chrome 57.0.2987.133 (64-bit) , OSX 10.9.4. I open Security tab from Inspect Element in develop tools. And I can see the detail of certificate. But there is no Export either. I can export the certificate using firefox. But when I opened Manage Certificates in Chrome and was trying to import the certificate to chrome. Chrome open system certificate manager instead of chrome certificate manager. Then I tryed type chrome://settings/certificates to address bar, it only redirect to chrome://settings. – Nick Dong – 2017-04-24T09:08:11.440

Perfect, the fist time it hasn't worked because, I hadn't select the 'TOP' certificate in picture #3 – bormat – 2018-05-06T08:49:30.980

I had to export localhost certificates as pfx file from Certificates dialog -> Personal tab, and reimported them into "Trusted Root Certification Authorities" tab. Now my angular app is not triggering certificate error when using post method to an HTTPS service – Junior M – 2018-07-03T01:30:27.017

I tried this technique but got the error Certification Authority Import Error The file contained one certificate, which was not imported: localhost.localdomain: Not a Certification Authority. I implemented the fix with https://stackoverflow.com/a/31900210/105539

– Volomike – 2019-04-27T07:59:11.827

Shortlink to the certificate settings: chrome://settings/certificates – works for Vivaldi as well. – dessert – 2020-01-25T16:53:35.320

I get an error on importing the certificate private key is not valid or does not exist on my certs tab. On other tab named authorities i get cert_name: is not authorities cert – tryingHard – 2020-02-26T13:52:28.160

32

I hope I'm not reviving this too late in the game, but I was looking for this answer and figured out how to make Richard's solution work with Chrome 59.0.3071.115 for the Mac.

  1. Load the page with the self-signed certificate that's causing Chrome to throw the error
  2. Hit the triple-horizontal-dots in the top right to get to More Tools > Developer Tools; click on the Security tab
  3. Click "View certificate"
  4. In the little window that pops up, there should be a picture of a certificate. Click/drag that to some location in Finder.
  5. Triple-horizontal-dots > Settings > Advanced > Manage certificates
  6. If the keychain is locked (lock in the top-left corner of the window that pops up), unlock it using your system password
  7. Select "login" under Keychains (on the top-left) and "Certificates" under Category (on the bottom-left)
  8. Click/drag the certificate that you downloaded over to the right side of the Keychain Access window
  9. Lock the lock at the top left of the Keychain Access window
  10. Close and re-open Chrome (make sure Chrome fully closed -- force quit if you need to)
  11. In Keychain, right-click your cert, "Get Info", "Trust" and "Always Trust" for SSL!

Paul Fernandez

Posted 2016-06-02T19:36:42.173

Reputation: 421

1Click drag not working on windows 10. Also I see no "login" in the manage certificates window... – Radmation – 2018-08-27T16:45:25.513

3Great, thanks! One more step for me (Chrome as of Oct 26, 2018): in Keychain, right-click your cert, "Get Info", "Trust" and "Always Trust" for SSL! – Nico – 2018-10-26T22:04:49.823

For Chrome version 75.0.3770.142, closing (and re-opening) wasn't necessary. – Kenny Evitt – 2019-07-22T15:57:11.113

Click-drag working on macOS Mojave (10.14). Thank you for an actual detailed solution to this. – Lucio Mollinedo – 2019-07-26T18:48:09.230

18

If you've just installed an SSL cert on your website after getting this error, you may need to restart Chrome. Easiest way is to go to chrome://restart so that it reopens all your tabs.

I was getting this error even though SSL Labs was telling me I had an A+ cert. Chrome was just being dumb and not refreshing properly.

mpen

Posted 2016-06-02T19:36:42.173

Reputation: 9 109

This saved me hours of work. Absolutely essential. Thank you. – DAB – 2019-11-30T15:02:36.663

2

For me I had to upgrade my browser version to the latest and it worked.

David Okwii

Posted 2016-06-02T19:36:42.173

Reputation: 131

2

One more option: less common but worth knowing.

Your computer may have an old certificate on it and ignore the current one.

I had to go to the Keychain app on a Mac and delete the expired/untrusted certificates so it would download new ones.

Nohl

Posted 2016-06-02T19:36:42.173

Reputation: 21

1How to delete the expired/untrusted certificates – Ipsita Rout – 2019-03-19T07:11:08.590

2

If you click the advanced link you are given the option to prodeed anyway.

enter image description here

Subsequently, when you visit the same site, the warning won't be shown, but the address bar will show "Not secure". If you click on the words "Not secure, you are informed that you have chosen to disable warnings for this site, but you can re-enable them.

enter image description here

user3185563

Posted 2016-06-02T19:36:42.173

Reputation: 121

3It looks like the "proceed anyway" link has been removed – jrh – 2019-03-19T19:36:08.200

1@jrh it is still there if you open it in incognito mode, but in normal browser mode it is gone – Miroslav Saracevic – 2019-08-12T12:24:24.217

@MiroslavSaracevic I don't see it in Incognito mode either, I think there's more than one kind of certificate error.

– jrh – 2019-08-12T14:09:10.453

Asked: 2016-06-02T19:36:42.173

Viewed: 507 907 times

Active: 2019-01-31T13:58:19.877