Can I configure Chrome to stop warning about SHA-1 signed server certs?

2

1

I'm using Chrome on a closed lab network. I have no control over the servers I'm talking to, which use SHA1-signed certs for HTTPS. Should they be using better certs? Of course, but I can't fix that. I just don't want to be bothered about it by my browser every time I open the sites.

Does Chrome have a flag or registry setting I could change that will stop warning about SHA1 certs? Obviously this would be dangerous for use on the actual internet, but not every network is under threat of attack.

James B

Posted 2017-04-25T09:43:24.983

Reputation: 369

This may be of use http://stackoverflow.com/questions/26388405/chrome-disable-ssl-checking-for-sites .

– None – 2017-04-25T09:47:20.127

@iain - that switch does stop giving me cert errors, though it'd be nice to tell the difference between "uses a signature algorithm that nation-state could maybe spoof" and "presents a totally and obvious bogus cert" – James B – 2017-04-25T09:59:17.650

this is a Chrome config question and not a security question – schroeder – 2017-04-25T10:59:50.507

1

Does this help?

– garethTheRed – 2017-04-25T17:22:19.547

I can't test it right now but I will pass it along to our admins -- that sounds a lot like what I was looking for. Thanks! – James B – 2017-04-26T08:08:40.577

Answers

2

For Mac Users Run this command to create a plist file in XML format

cat >com.google.Chrome.plist <<POLICY
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>EnableSha1ForLocalAnchors</key>
    <true/>
</dict>
</plist>
POLICY

Convert it to binary format using plutil -convert binary1 com.google.Chrome.plist

Move it into your system preferences sudo cp com.google.Chrome.plist /Library/Preferences/

Now visit chrome://policy and ensure EnableSha1ForLocalAnchors is set to true and has OK status (requires Chrome restart)

For windows update required in Registry

https://www.chromium.org/administrators/policy-list-3#EnableSha1ForLocalAnchors

maxmithun

Posted 2017-04-25T09:43:24.983

Reputation: 139

1

Disable the certificate warning using the below commands

Windows user - execute chrome.exe with the parameters as below or update the parameter to the Chrome shortcut

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --ignore-certificate-errors --ignore-urlfetcher-cert-requests

Mac users - Execute the commands from the terminal

/Applications/Google Chrome.app/Contents/MacOS/Google Chrome --ignore-certificate-errors --ignore-urlfetcher-cert-requests &> /dev/null

maxmithun

Posted 2017-04-25T09:43:24.983

Reputation: 139

Max, take a look at the comments on the question -- the switch you specified ignores all cert errors, which technically solves the problem, but I'd like to keep warning about other errors while ignoring the SHA1 issue specifically. – Coderer – 2017-10-13T06:53:23.407

Coderer, i have updated the steps for enabling the SHA-1 in the chrome://policy as new answer – maxmithun – 2017-10-27T01:09:22.777

Asked: 2017-04-25T09:43:24.983

Viewed: 10 154 times

Active: 2017-10-26T05:21:57.627