Chrome - Password saving with self-signed or broken SSL

I have searched frequently for a way to do this and never found a good answer, though there have been tickets created in the past (#142818 & #405549).

Apparently, the chromium devs have failed to create a chrome://flags override for "broken" SSL and/or password saving. This would seem to be the easiest way to fix this annoying "feature" (via flags). I DO understand completely why they block it by default.

Since there is no override to my knowledge, I had assumed that you would need to import the given self-signed certificate to a trusted root area in (Windows) store. This does not appear to work either.

Has anyone been able to get this to work? I can live with the warning - just not the lack of password saving. I spent most of my workday in a dev environment and need to keep re-entering passwords dozens of times a day (copy/paste).

bshea

Posted 2017-08-15T16:02:15.887

Reputation: 678

Importing your self-signed cert into the Windows certificate store does work for Chrome, I do this all time. How are you importing it and into which store? – heavyd – 2017-08-15T16:08:38.800

Last attempt - Import self-signed .cer format into "Trusted Root Cert Auths./Certificates" – bshea – 2017-08-15T19:51:51.170

Not to state the obvious, but wouldn't be a bit easier if Chrome just added a flag override for us? Anyway, if you can point me in right direction or tell me what I am doing wrong please do :) – bshea – 2017-08-15T20:00:53.310

Importing your self-signed cert into the Windows certificate store does not work for me, too – Ivan – 2018-01-19T10:01:52.933

Update - I have never found an easy way/flag to do this as of date of this comment. But, with advent of free certificate issuance (LetsEncrypt/etc), my password saving problem's have been slowly going away as most times I can just create a legitimate SSL certificate. Problem solved. Note: The web server (during cert issuance) and client browser needs access to Internet, though. Which usually isn't an issue.. – bshea – 2020-02-03T15:27:41.563

Answers

I did not know about this option before today, but it appears that Chrome does have a flag for allowing insecure certificates from the localhost origin. This option is available from the chrome://flags/#allow-insecure-localhost page:

This will only help you for self-signed certificates on the localhost origin, and I have not tested it to see if it actually fixes your problem with the password manager, but it looks promising.

heavyd

Posted 2017-08-15T16:02:15.887

Reputation: 54 755

Wasn't sure who answered first so gave the approve to first one. Flag doesn't cover all I needed it to, but will help.. – bshea – 2017-08-16T14:59:09.683

2@bshea, FYI hovering over the "answered XX minutes/hours/days ago" label will display and exact timestamp. – heavyd – 2017-08-16T15:31:05.223

2I wish chrome flags would support a complete override on cert checks (or specifically password saving from non-localhost source). There is a nice warning about using flags.. so I don't see why they don't. Liability i guess. – bshea – 2017-08-16T19:33:24.137

1@bshea, yeah I think they're trying to be security conscious. If the flag is there, then lazy website owners or malicious actors may instruct users to go flip the flag to enable their bad practices. If the flag is not there, there is no bypass – heavyd – 2017-08-16T20:17:28.973

This didn't work for me. What worked for me was to generate a self-signed certificate and adding it to the system truststore as always trusted. – Vic Seedoubleyew – 2019-06-10T17:28:42.783

Anyone with a solution for Chrome in mac. Nothing has worked yet for me for self-signed certificates in localhost. – FFrewin – 2019-08-23T16:06:10.780

This doesn't answer the question. It works on localhost but not with expired certificates on the internet. – Bachsau – 2019-11-24T15:38:21.707

Alternatively, you can start Chrome with a command line switch --unsafely-treat-insecure-origin-as-secure="http://example.com" or go to chrome://flags/#unsafely-treat-insecure-origin-as-secure and enter your unsafe origin, e.g. http://example.com.

niutech

Posted 2017-08-15T16:02:15.887

Reputation: 763

Nice. Hadn't seen that flag/switch before. Can you also save a password for that 'bad ssl' domain? – bshea – 2019-01-23T23:13:46.757

Didn't work for me either. I had to generate a self signed certificate and add it to system truststore – Vic Seedoubleyew – 2019-06-10T17:29:02.033

I don't think this is for SSL/TLS at all. The secure origin policy is about cross site scripting, not encryption and authentification. – Bachsau – 2019-11-24T15:40:00.933

Navigate to chrome://flags/#allow-insecure-localhost (or just right click this link and click "Open link in new tab").

Then click "Enable".

Just be extremely wary that this is a major security flaw.

Edit: link no longer works due to the fact that Chrome no longer allows hyperlinks to the Chrome protocol due to security regarding the use of url encoding in hyperlinks to the protocol. Certain url-encoded strings would crash older versions of chrome. Rather than fixing this issue, they completely eliminated the option for hyperlinks. So just navigate to that location by copying and pasting the link.

var firstName

Posted 2017-08-15T16:02:15.887

Reputation: 1 673

That flag is news to me. Not quite what i needed (localhost only), but it will certainly help.. Thanks. – bshea – 2017-08-16T14:55:56.560

just FYI - the link doesn't work – redbeam_ – 2019-06-19T15:10:21.090

i suggest you to use macro (iMacros) instead break the security default of chrome and that's better to protect you from virus

edit:

download iMacros chrome extension
install it
create chrome new tab
open i macros
then move To record section and press record
at new tab go to login page
fill your username and password
press login
then stop record and save page

and voila now you can play your recorded macro in bookmark section to login effortlessly

rizky ap

Posted 2017-08-15T16:02:15.887

Reputation: 1

1Welcome to [su]! Could you [edit] your answer to make it clear how it is answering the question? – Glorfindel – 2019-02-24T13:06:50.803

None of these worked for me, I ended up following a combination of the powershell answers from here adding the -NotAfter flag as well, slightly modified to use copy and paste from comments instead of exporting the cert. Once I had all this working for the correct domains, chrome stopped saying the cert was invalid and prompted to save password.

To Create the new certificate for your specific domain:

Open Powershell ISE as admin, run the command:
New-SelfSignedCertificate -DnsName *.mydomain.com, localhost -CertStoreLocation cert:\LocalMachine\My
To trust the new certificate:

Open mmc.exe

Go to Console Root -> Certificates (Local Computer) -> Personal

Select the certificate you have created, copy

Go to Console Root -> Certificates -> Trusted Root Certification Authorities, paste

To bind the certificate to your site:

Open IIS Manager

Select your site and choose Edit Site -> Bindings in the right pane

Add new https binding with the correct hostname and the new certificate

BlackICE

Posted 2017-08-15T16:02:15.887

Reputation: 99