1825

I have created a self-signed SSL certificate for the localhost CN. Firefox accepts this certificate after initially complaining about it, as expected. Chrome and Internet Explorer. However, they refuse to accept it, even after adding the certificate to the system certificate store under Trusted Roots. Even though the certificate is listed as correctly installed when I click "View certificate information" in Chrome's HTTPS popup, it still insists the certificate cannot be trusted.

What am I supposed to do to get Chrome to accept the certificate and stop complaining about it?

Improve this question
8
  • 17
    When you say Firefox complains about it initially, do you mean that it asks you to add a certificate exception? This shouldn't happen if the certificate is correctly installed. It sounds to me that all three browsers are complaining, but Firefox allows you to cancel its complaint. I'm posting this as a comment as I don't have a specific answer, but I have done exactly this and it works fine in all three browsers. I would suggest that you try and get it working on IE first, and then once that is happy worry about the other two. Sorry I couldn't be of more help! Commented Sep 28, 2011 at 8:49
  • 2
    You have to create a well formed certificate, including the way DNS names are presented. OpenSSL does not present them in a way that satisfies the browsers out-of-the-box. See How to create a self-signed certificate with openssl?. Commented Jan 13, 2015 at 23:33
  • 6
    Firefox does not use the system certificate store. Commented Aug 9, 2015 at 1:56
  • 8
    If your cert's signature uses SHA-1, recent versions of Chrome (circa 57) will display warnings even if you've been able to add your custom cert successfully. Regardless, the "Security" panel of the developer tools will say more specifically what the problem is e.g.: net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM. Commented Apr 26, 2017 at 3:40
  • 3
    Type thisisunsafe in chrome. This has been changed Commented Mar 7, 2018 at 3:26

52 Answers 52

Reset to default
1
2
1291

For localhost only (Chrome 119 and above)

  1. Simply visit this link in your Chrome:

    chrome://flags/#temporary-unexpire-flags-m118

  2. You should see highlighted text saying:

    Temporarily unexpire flags that expired as of M118. These flags will be removed soon. – Mac, Windows, Linux, ChromeOS, Android, Fuchsia, Lacros

  3. Click Enable Then relauch Chrome.

For localhost only (Chrome 118 and below)

  1. Simply visit this link in your Chrome:

    chrome://flags/#allow-insecure-localhost

  2. You should see highlighted text saying:

    Allow invalid certificates for resources loaded from localhost

  3. Click Enable.

Options for other sites

Improve this answer
Sign up to request clarification or add additional context in comments.

Disables the warning...but also the cache! bugs.chromium.org/p/chromium/issues/detail?id=103875
this won't work if you're using chrome in Incognito mode (to switch identities for eg) but very clean otherwise
This - if you can stand the annoying red Not Secure msg. Otherwise it's hours of mysterious openssl incantations then trying to deal with the internal cert manager in Chrome.
I don't know why this answer has been voted but there is a difference between Invalid certificate and self-signed certificate. The question is about self signed cert.
Did not work for me at all. What worked for me was to generate a self-signed certificate including subjectAltName, as explained by this answer: stackoverflow.com/a/42917227/2873507
586

This worked for me:

  1. Using Chrome, hit a page on your server via HTTPS and continue past the red warning page (assuming you haven't done this already).
  2. Open up Chrome Settings > Show advanced settings > HTTPS/SSL > Manage Certificates.
  3. Click the Authorities tab and scroll down to find your certificate under the Organization Name that you gave to the certificate.
  4. Select it, click Edit (NOTE: in recent versions of Chrome, the button is now "Advanced" instead of "Edit"), check all the boxes and click OK. You may have to restart Chrome.

You should get the nice green lock on your pages now.

EDIT: I tried this again on a new machine and the certificate did not appear on the Manage Certificates window just by continuing from the red untrusted certificate page. I had to do the following:

  1. On the page with the untrusted certificate (https:// is crossed out in red), click the lock > Certificate Information. NOTE: on newer versions of chrome, you have to open Developer Tools > Security, and select View certificate.
  2. Click the Details tab > Export. Choose PKCS #7, single certificate as the file format.
  3. Then follow my original instructions to get to the Manage Certificates page. Click the Authorities tab > Import and choose the file to which you exported the certificate, and make sure to choose PKCS #7, single certificate as the file type.
  4. If prompted certification store, choose Trusted Root Certificate Authorities
  5. Check all boxes and click OK. Restart Chrome.
Improve this answer

Alternate step 2: navigate to chrome://settings/certificates. Also if you've been messing with generating your self-signed cert and have made more than one, try using this page to locate and delete a previously imported cert, and then re-import.
chrome://settings/certificates no longer works, and there is no Authorities tab in Chrome settings > Security > Manage certificates. Has anyone got updated instructions?
chrome://settings/certificates does not exist fro Chrome under Windows. The certificates section merely opens the Windows cert-chain tool – Chrome does not seem to have an own storeage for certs un der Windows
The EDIT steps of original answer worked for me using Chrome Version 99.0.4844.51. To save as PKCS #7, single certificate I used .p7b extension and imported as described here.
This worked well. I just needed to update my certificate to include an alternative name so it would fully stop complaining.
517

With only 5 openssl commands, you can accomplish this.

(Please don't change your browser security settings.)

With these commands, you can:

  1. Become your own CA
  2. Then sign your SSL certificate as a CA

Instructions:

  1. Copy the code snippet into a new file.
  2. Update the variable NAME (and optionally DNS.2 and IP.1) and save the file.
  3. Run the script (e.g. bash generate_certs.sh). This will generate myCA.pem, $NAME.crt, and $NAME.key for you.
  4. Then in your Chrome settings import the generated CA certificate (myCA.pem) as an "Authority" (not into "Your Certificates"): Settings > Manage certificates > Authorities > Import.
  5. Use the generated $NAME.crt and $NAME.key files in your server for SSL/TLS.

NB: For Windows, some reports say that openssl must be run with winpty to avoid a crash.

######################
# Become a Certificate Authority
######################

# Generate private key
openssl genrsa -des3 -out myCA.key 2048
# Generate root certificate
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem

######################
# Create CA-signed certs
######################

NAME=mydomain.example # Use your own domain name
# Generate a private key
openssl genrsa -out $NAME.key 2048
# Create a certificate-signing request
openssl req -new -key $NAME.key -out $NAME.csr
# Create a config file for the extensions
>$NAME.ext cat <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $NAME # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
DNS.2 = bar.$NAME # Optionally, add additional domains (I've added a subdomain here)
IP.1 = 192.168.0.13 # Optionally, add an IP address (if the connection which you have planned requires it)
EOF
# Create the signed certificate
openssl x509 -req -in $NAME.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial \
-out $NAME.crt -days 825 -sha256 -extfile $NAME.ext

Recap

  1. Run the code snippet to (a) become a CA and (b) sign your certificate using your CA cert+key.
  2. Import myCA.pem as an "Authority" in your Chrome settings (Settings > Manage certificates > Authorities > Import).
  3. Use the $NAME.crt and $NAME.key files in your server.

You can check your work to ensure that the certificate is built correctly:

openssl verify -CAfile myCA.pem -verify_hostname bar.mydomain.example mydomain.example.crt

Extra steps for Mac

  1. Import the CA cert at "File > Import file", then also find it in the list, right click it, expand "> Trust", and select "Always"
  2. Add extendedKeyUsage=serverAuth,clientAuth below basicConstraints=CA:FALSE, and make sure you set the "CommonName" to the same as $NAME when it asks for setup.

Extra steps for Windows

  1. Convert the myCA.pem to myCA.pfx by doing:

    openssl pkcs12 -export -out myCA.pfx -inkey myCA.key -in myCA.pem

  2. Import the myCA.pfx into the Trusted Certificate Authorities of Windows by opening (double-click) the myCA.pfx file, selecting "Local Machine" and Next, Next again, enter the password and then Next, and select "Place all certificates int he following store:" and click on Browse and choose "Trusted Root Certification Authorities" and Next, and then Finish.

Now your CA certificate is trusted by Windows. When you import and use the $NAME certificate it will be automatically trusted by Windows and Chrome.

Improve this answer

@maverick browsers and operating systems ship with a limited number of CA's that they trust. Although anyone can become a CA, to get anyone to trust their certificates, they'd need people to manually add them as a trusted CA (as we tell Chrome to do when we manually import a certificate).
Great! Two remarks for Mac users like me: On the last line, use -days 825 instead of -days 1825 due to superuser.com/questions/1492643/…, and it's worth noting that to import the root cert into Key Chain Access, you need not only to "File > Import file", but then also to find it in the list, right click it, expand "> Trust", and select "Always".
if you need a PEM file instead of a CRT file for your local dev server don't worry, just combine .crt and .csr files and save them as a .pem file, and you are good to go.
AT LAST IT WORKS! BRAVO for this answer. Please don't forget to load myCA.pem to your Chrome or Firefox (Settings > Manage certificates > Authorities > Import)
In Chrome/ium on Windows when you try to import the certificate, pem is not listed in the available file extensions, but it can still import it (just select all files filter).
287

Click anywhere on the page and type a BYPASS_SEQUENCE:

BYPASS_SEQUENCE Chrome Version
thisisunsafe 65 - ?
badidea 62 - 64
danger ? - 61

You don't need to look for an input field; just type it. It feels strange, but it works. I tried it on macOS v10.13 (High Sierra).

To double check if they changed it again, go to the latest Chromium source code. At the moment the BYPASS_SEQUENCE looks like this:

var BYPASS_SEQUENCE = window.atob('dGhpc2lzdW5zYWZl');

Now they have it camouflaged, but to see the real BYPASS_SEQUENCE you can run following line in a browser console.

console.log(window.atob('dGhpc2lzdW5zYWZl'));

OR

As an alternative to typing the phrase, you can paste this code snippet into the console.

sendCommand(SecurityInterstitialCommandId.CMD_PROCEED)
Improve this answer

I was so skeptical this would actually work, it felt like entering cheat codes into a game. But lo and behold, thisisunsafe really does work for Chrome 86.
If you see the "this certificate is invalid" page simply type in the letters and the window should reload and display the content of the page. (I'm also on Chrome 91 and for me it still works.)
The problem is that the button does not appear on localhost.
instead of typing phrase you can paste the part of code in console sendCommand(SecurityInterstitialCommandId.CMD_PROCEED)
This still works on Chrome version 100, April 2022.
195

Update for Chrome 58+ (Released 2017-04-19)

As of Chrome 58, the ability to identify the host using only commonName was removed. Certificates must now use subjectAltName to identify their host(s). See further discussion here and bug tracker here. In the past, subjectAltName was used only for multi-host certs so some internal CA tools don't include them.

If your self-signed certs worked fine in the past but suddenly started generating errors in Chrome 58, this is why.

So whatever method you are using to generate your self-signed cert (or cert signed by a self-signed CA), ensure that the server's cert contains a subjectAltName with the proper DNS and/or IP entry/entries, even if it's just for a single host.

For openssl, this means your OpenSSL config (/etc/ssl/openssl.cnf on Ubuntu) should have something similar to the following for a single host:

[v3_ca]   # and/or [v3_req], if you are generating a CSR
subjectAltName = DNS:example.com

or for multiple hosts:

[v3_ca]   # and/or [v3_req], if you are generating a CSR
subjectAltName = DNS:example.com, DNS:host1.example.com, DNS:*.host2.example.com, IP:10.1.2.3

In Chrome's cert viewer (which has moved to "Security" tab under F12) you should see it listed under Extensions as Certificate Subject Alternative Name:

Chrome cert viewer

Improve this answer

Hi, I added Subject Alternative name but, imported to My store and the CA authority is in the trusted store, rebooted Chrome but still it is saying SAN is missing
The v3_req option worked for me in getting the subjectAltName in the CSR. However, when generating the cert using my self-signed CA it was ignored. (Using LibreSSL 2.6.5) As shown in the OpenSSL cookbook (see "Creating Certificates Valid for Multiple Hostnames"), what I needed for the latter was create a myserver.ext text file containing subjectAltName = DNS:localhost . And then I ran openssl x509 -req ... -extfile myserver.ext . I could confirm SAN added via "openssl x509 -text -in myserver.crt -noout"
155

On the Mac, you can use the Keychain Access utility to add the self-signed certificate to the System keychain, and Chrome will then accept it. I found the step-by-step instructions here:

Google Chrome, Mac OS X and Self-Signed SSL Certificates

Basically:

  1. double-click the lock icon with an X and drag-and-drop the certificate icon to the desktop,
  2. open this file (ending with a .cer extension); this opens the keychain application which allows you to approve the certificate.
Improve this answer

After you open the cert in the keychain app, edit the trust settings and set SSL to "Always Trust"
143

On the Mac, you can create a certificate that's fully trusted by Chrome and Safari at the system level by doing the following:

# create a root authority cert
./create_root_cert_and_key.sh

# create a wildcard cert for mysite.com
./create_certificate_for_domain.sh mysite.com

# or create a cert for www.mysite.com, no wildcards
./create_certificate_for_domain.sh www.mysite.com www.mysite.com

The above uses the following scripts, and a supporting file v3.ext, to avoid subject alternative name missing errors

If you want to create a new self signed cert that's fully trusted using your own root authority, you can do it using these scripts.

create_root_cert_and_key.sh

#!/usr/bin/env bash
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

create_certificate_for_domain.sh

#!/usr/bin/env bash

if [ -z "$1" ]
then
  echo "Please supply a subdomain to create a certificate for";
  echo "e.g. www.mysite.com"
  exit;
fi

if [ ! -f rootCA.pem ]; then
  echo 'Please run "create_root_cert_and_key.sh" first, and try again!'
  exit;
fi
if [ ! -f v3.ext ]; then
  echo 'Please download the "v3.ext" file and try again!'
  exit;
fi

# Create a new private key if one doesnt exist, or use the xeisting one if it does
if [ -f device.key ]; then
  KEY_OPT="-key"
else
  KEY_OPT="-keyout"
fi

DOMAIN=$1
COMMON_NAME=${2:-*.$1}
SUBJECT="/C=CA/ST=None/L=NB/O=None/CN=$COMMON_NAME"
NUM_OF_DAYS=825
openssl req -new -newkey rsa:2048 -sha256 -nodes $KEY_OPT device.key -subj "$SUBJECT" -out device.csr
cat v3.ext | sed s/%%DOMAIN%%/"$COMMON_NAME"/g > /tmp/__v3.ext
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days $NUM_OF_DAYS -sha256 -extfile /tmp/__v3.ext 

# move output files to final filenames
mv device.csr "$DOMAIN.csr"
cp device.crt "$DOMAIN.crt"

# remove temp file
rm -f device.crt;

echo 
echo "###########################################################################"
echo Done! 
echo "###########################################################################"
echo "To use these files on your server, simply copy both $DOMAIN.csr and"
echo "device.key to your webserver, and use like so (if Apache, for example)"
echo 
echo "    SSLCertificateFile    /path_to_your_files/$DOMAIN.crt"
echo "    SSLCertificateKeyFile /path_to_your_files/device.key"

v3.ext

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
    
[alt_names]
DNS.1 = %%DOMAIN%%

One more step - How to make the self signed certs fully trusted in Chrome/Safari

To allow the self signed certificates to be FULLY trusted in Chrome and Safari, you need to import a new certificate authority into your Mac. To do so follow these instructions, or the more detailed instructions on this general process on the mitmproxy website:

You can do this one of 2 ways, at the command line, using this command which will prompt you for your password:

$ sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain rootCA.pem

or by using the Keychain Access app:

  1. Open Keychain Access
  2. Choose "System" in the "Keychains" list
  3. Choose "Certificates" in the "Category" list
  4. Choose "File | Import Items..."
  5. Browse to the file created above, "rootCA.pem", select it, and click "Open"
  6. Select your newly imported certificate in the "Certificates" list.
  7. Click the "i" button, or right click on your certificate, and choose "Get Info"
  8. Expand the "Trust" option
  9. Change "When using this certificate" to "Always Trust"
  10. Close the dialog, and you'll be prompted for your password.
  11. Close and reopen any tabs that are using your target domain, and it'll be loaded securely!

and as a bonus, if you need java clients to trust the certificates, you can do so by importing your certs into the java keystore. Note this will remove the cert from the keystore if it already exists, as it needs to update it in case things change. It of course only does this for the certs being imported.

import_certs_in_current_folder_into_java_keystore.sh

KEYSTORE="$(/usr/libexec/java_home)/jre/lib/security/cacerts";

function running_as_root()
{
  if [ "$EUID" -ne 0 ]
    then echo "NO"
    exit
  fi

  echo "YES"
}

function import_certs_to_java_keystore
{
  for crt in *.crt; do 
    echo prepping $crt 
    keytool -delete -storepass changeit -alias alias__${crt} -keystore $KEYSTORE;
    keytool -import -file $crt -storepass changeit -noprompt --alias alias__${crt} -keystore $KEYSTORE
    echo 
  done
}

if [ "$(running_as_root)" == "YES" ]
then
  import_certs_to_java_keystore
else
  echo "This script needs to be run as root!"
fi
Improve this answer

Running $ openssl genrsa -out rootCA.key 2048 before $ ./create_root_cert_and_key.sh fixes the "Error opening Private Key rootCA.key" error I ran into.
Figured it out the solution (in case anyone else hits this) was to change -key to -keyout... openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout device.key -subj "$SUBJECT" -out device.csr
For FireFox users, you can Import the rootCA.pem file created in this script to the Authorities tab under the Certificates tab in FF preferences - quick link here - about:preferences#advanced. When creating the .pem file, the common name is what controls the URL that is viewed as secure. Example: Common Name (e.g. server FQDN or YOUR name) []:127.0.0.1 You can run the script again (rename the original so you don't override the first .pem file) and use localhost as a common name for a second time. Import both of these .pem files into FF and you will enjoy Green Locks
I'm still getting an error in Chrome on my machine when doing this for localhost: Certificate error There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).
yeah the "One more step - How to make the self signed certs fully trusted in Chrome/Safari" step basically really means "How to make this cert trusted everywhere in your system, except java" - So if you want it to work in Java too, follow that part as well!
103

Linux

If you're using Linux, you can also follow these official wiki pages:

Basically:

  • click the lock icon with an X,
  • choose Certificate Information
  • go to the Details tab
  • Click on Export... (save as a file)

Now, the following command will add the certificate (where YOUR_FILE is your exported file):

certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n YOUR_FILE -i YOUR_FILE

To list all your certificates, run the following command:

certutil -d sql:$HOME/.pki/nssdb -L

If it still doesn't work, you could be affected by this bug: Issue 55050: Ubuntu SSL error 8179

P.S. Please also make sure that you have libnss3-tools, before you can use above commands.

If you don't have, please install it by:

sudo apt-get install libnss3-tools # on Ubuntu
sudo yum install nss-tools # on Fedora, Red Hat, etc.

As a bonus, you can use the following handy scripts:

File add_cert.sh

certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n $1 -i $1

File list_cert.sh

certutil -d sql:$HOME/.pki/nssdb -L # add '-h all' to see all built-in certs

File download_cert.sh

echo QUIT | openssl s_client -connect $1:443 | sed -ne '/BEGIN CERT/,/END CERT/p'

Usage:

add_cert.sh [FILE]
list_cert.sh
download_cert.sh [DOMAIN]

Troubleshooting

  • Run Chrome with --auto-ssl-client-auth parameter

    google-chrome --auto-ssl-client-auth

Improve this answer

Excellent, I love your scripts. You don't need the QUIT though (there is no such HTTP command as QUIT anyway), and you don't need the sed either, the nss tools can filter out the cert between BEGIN and END CERT. So the download_cert.sh can be simply this: echo | openssl s_client -connect $1:443
I have tried the other options but only this one currently works in Chrome 4x for linux it refused to import to any store using built in tools.
With Chrome on Ubuntu 20.04 I couldn't get this to work passing the "P,," but was eventually able to get it to work using CT,c,c
95

UPDATED Apr 23/2020

Recommended by the Chromium Team

Deprecating Powerful Features on Insecure Origins

Quick Super-Easy Solution

There is a secret bypass phrase that can be typed into the error page to have Chrome proceed despite the security error: thisisunsafe (in earlier versions of Chrome, type badidea, and even earlier, danger). Do not use this unless you understand exactly why you need it!

Source code:

chromium / chromium / src (D8FC08)

(Note that window.atob('dGhpc2lzdW5zYWZl') resolves to thisisunsafe)

The latest version of the source is @ https://chromium.googlesource.com/chromium/src/+/refs/heads/master/components/security_interstitials/core/browser/resources/interstitial_large.js and the window.atob function can be executed in a JavaScript console.

For background about why the Chrome team changed the bypass phrase (the first time):

"danger" shortcut removed (#41236621)

If all else fails (Solution #1)

For quick one-offs if the "Proceed Anyway" option is not available, nor the bypass phrase is working, this hack works well:

  1. Allow certificate errors from localhost by enabling this flag (note Chrome needs a restart after changing the flag value):

chrome://flags/#allow-insecure-localhost

(and vote-up answer https://stackoverflow.com/a/31900210/430128 by @Chris)

  1. If the site you want to connect to is localhost, you're done. Otherwise, setup a TCP tunnel to listen on port 8090 locally and connect to broken-remote-site.com on port 443, ensure you have socat installed and run something like this in a terminal window:

socat tcp-listen:8090,reuseaddr,fork tcp:broken-remote-site.com:443

  1. Go to https://localhost:8090 in your browser.

If all else fails (Solution #2)

Similar to "If all else fails (Solution #1)", here we configure a proxy to our local service using ngrok. Because you can either access ngrok http tunnels via TLS (in which case it is terminated by ngrok with a valid certificate), or via a non-TLS endpoint, the browser will not complain about invalid certificates.

Download and install ngrok and then expose it via ngrok.io:

ngrok http https://localhost

ngrok will start up and provide you a host name which you can connect to, and all requests will be tunneled back to your local machine.

Improve this answer

Anyone trying to use localhost with https for service workers, the first point of If-all-fails worked for me on chrome 60 ubuntu 14.04
this will still treat the cert as invalid and make the password manage refuse to work
94

UPDATE 11/2017: This answer probably won't work for most newer versions of Chrome.

UPDATE 02/2016: Better Instructions for Mac Users Can be Found Here.

  1. On the site you want to add, right-click the red lock icon in the address bar:enter image description here

    1. Click the tab labeled Connection, then click Certificate Information

    2. Click the Details tab, the click the button Copy to File.... This will open the Certificate Export Wizard, click Next to get to the Export File Format screen.

    3. Choose DER encoded binary X.509 (.CER), click Next

    4. Click Browse... and save the file to your computer. Name it something descriptive. Click Next, then click Finish.

    5. Open Chrome settings, scroll to the bottom, and click Show advanced settings...

    6. Under HTTPS/SSL, click Manage certificates...

    7. Click the Trusted Root Certification Authorities tab, then click the Import... button. This opens the Certificate Import Wizard. Click Next to get to the File to Import screen.

    8. Click Browse... and select the certificate file you saved earlier, then click Next.

    9. Select Place all certificates in the following store. The selected store should be Trusted Root Certification Authorities. If it isn't, click Browse... and select it. Click Next and Finish

    10. Click Yes on the security warning.

    11. Restart Chrome.

Improve this answer

@AJeneral Yeah, Chrome changed again. The instructions in this article worked for me recently.
This option doesn't exist on Mac Chrome latest as of the date of this comment.
@kgrote, Chrome does not have it's own certificate store. All it's doing is adding and removing the Windows one. As such, a better way is to simply use certmgr.msc to add and delete certs.
Did work for me, thanks. Had to restart Chrome and most importantly my certificate had to expire before 2017. SHA-1 stuff.
CHROME CHANGED YET AGAIN! Now the step "In the address bar, click the little lock with the X. This will bring up a small information screen." doesn't work.
62

If you're on a Mac and not seeing the export tab or how to get the certificate this worked for me:

  1. Click the lock before the https://
  2. Go to the "Connection" tab
  3. Click "Certificate Information"

Now you should see this:

Different information of course and yours should be marked as trusted yet (otherwise you probably wouldn't be here)

  1. Drag that little certificate icon do your desktop (or anywhere).
  2. Double click the .cer file that was downloaded, this should import it into your keychain and open Keychain Access to your list of certificates.

In some cases, this is enough and you can now refresh the page.

Otherwise: 7. Double click the newly added certificate. 8. Under the trust drop down change the "When using this certificate" option to "Always Trust"

Now reload the page in question and it should be problem solved!

To make this a little easier you can use the following script (source):

  1. Save the following script as whitelist_ssl_certificate.ssh:

    #!/usr/bin/env bash -e

SERVERNAME=$(echo "$1" | sed -E -e 's/https?:\/\///' -e 's/\/.*//')
echo "$SERVERNAME"

if [[ "$SERVERNAME" =~ .*\..* ]]; then
    echo "Adding certificate for $SERVERNAME"
    echo -n | openssl s_client -connect $SERVERNAME:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | tee /tmp/$SERVERNAME.cert
    sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" /tmp/$SERVERNAME.cert
else
    echo "Usage: $0 www.site.name"
    echo "http:// and such will be stripped automatically"
fi

  2. Make the script executable (from the shell):

    chmod +x whitelist_ssl_certificate.ssh

  3. Run the script for the domain you want (simply copy/pasting the full URL works):

    ./whitelist_ssl_certificate.ssh https://your_website/whatever
Improve this answer

This approach worked for me on OS X Mavericks, there was no Export option available as described in the top answer above.
Works great. The lock before https is still crossed out, but it's okay because there's no annoying popup anymore.
49

Filippo Valsorda wrote a cross-platform tool, mkcert, to do this for lots of trust stores. I presume he wrote it for the same reason that there are so many answers to this question: it is a pain to do the "right" thing for SubjectAltName certificates signed by a trusted root CA.

mkcert is included in the major package management systems for Windows, macOS, and several Linux flavors. It is also mentioned in the Chromium docs in Step 4 of Testing Powerful Features.

mkcert

mkcert is a simple tool for making locally-trusted development certificates. It requires no configuration.

$ mkcert -install

Created a new local CA at "/Users/filippo/Library/Application Support/mkcert" 💥
The local CA is now installed in the system trust store! ⚡️
The local CA is now installed in the Firefox trust store (requires browser restart)! 🦊

$ mkcert example.com "*.example.com" example.test localhost 127.0.0.1 ::1

Using the local CA at "/Users/filippo/Library/Application Support/mkcert" ✨

Created a new certificate valid for the following names 📜
 - "example.com"
 - "*.example.com"
 - "example.test"
 - "localhost"
 - "127.0.0.1"
 - "::1"

The certificate is at "./example.com+5.pem" and the key at "./example.com+5-key.pem" ✅
Improve this answer

I could not get this to work, at least for my subdomains of the sslip.io service.
As of today on a brand new mac, I got this to work -- but oddly enough Chrome 100.0.48 was very finicky with the "Not Secure" message until I undid the allow-insecure-localhost flag and went into keychain and check "trust all" on the certificates.... I guess its "secure" now? Another workaround was dragging the certificate icons out of chrome on the desktop and reimporting them into keychain, re-trusting them.
Works like a charm if you don't forget to trust the CA with mkcert -install
I had to Trust All in KeyChain Access and restart Chrome but it worked!
39

For a test environment

You can use --ignore-certificate-errors as a command line parameter when launching chrome (Working on Version 28.0.1500.52 on Ubuntu).

This will cause it to ignore the errors and connect without warning. If you already have a version of chrome running, you will need to close this before relaunching from the command line or it will open a new window but ignore the parameters.

I configure Intellij to launch chrome this way when doing debugging, as the test servers never have valid certificates.

I wouldn't recommend normal browsing like this though, as certificate checks are an important security feature, but this may be helpful to some.

Improve this answer

It worked for me in Windows 8! I just right clicked on chrome shortcut > Properties > Changed 'Target' field like this (note that '--ignore-certificate-errors' should be added after quote, and with space): "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --ignore-certificate-errors
This does not answer the question, and its dangerous. The question was how to get Chrome to trust a self signed server certificate; not how to ignore warnings and errors.
This is the only solution that worked for me on Chrome (63.0.3239.108) with Windows 7 (64-bit). With regard to security I created special icon on desktop which I only launch when developing on a local virtual machine. Importing self-signed local certificates, tuning chrome://flags & HSTS domain did not help. Chrome should definitely keep that old good button "Add security exception" - it would save me 2 hours of struggling with useless settings.
This tutorial worked like a charm! youtube.com/watch?v=qoS4bLmstlk
On Windows you can press Ctrl + R to get the Run dialog, then type chrome --ignore-certificate-errors
35

Windows Jun/2017 (Windows Server 2012)

I followed @Brad Parks's answer. On Windows you should import rootCA.pem in the Trusted Root Certificates Authorities store.

I did the following steps:

openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -newkey rsa:4096 -sha256 -days 1024 -out rootCA.pem
openssl req -new -newkey rsa:4096 -sha256 -nodes -keyout device.key -out device.csr
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 2000 -sha256 -extfile v3.ext

Where v3.ext is:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
IP.1 = 192.168.0.2
IP.2 = 127.0.0.1

In my case I have a self hosted web app, so I need to bind the certificate with IP address and port. The certificate should be in my store with private key information, so I exported to pfx format.

openssl pkcs12 -export -out device.pfx -inkey device.key -in device.crt

With MMC console, I imported the pfx file in the Personal store. (File ⏵ Add or Remove Snap-ins ⏵ Certificates ⏵ Add ⏵ Computer Account ⏵ LocalComputer ⏵ OK)

Later I used this command to bind the certificate. (You could also use HttpConfig tool.)

netsh http add sslcert ipport=0.0.0.0:12345 certhash=b02de34cfe609bf14efd5c2b9be72a6cb6d6fe54 appid={BAD76723-BF4D-497F-A8FE-F0E28D3052F4}
  • certhash is the Certificate Thumbprint
  • appid a GUID (your choice)

First I tried to import the certificate device.crt on Trusted Root Certificates Authorities in different ways, but I'm still getting the same error:

Screenshot of Chrome saying HTTPS security is broken

But I realized that I should import certificate of the root authority, not the certificate for the domain. So I used MMC console to import rootCA.pem in the Trusted Root Certificates Authorities store. (File ⏵ Add or Remove Snap-ins ⏵ Certificates ⏵ Add ⏵ Computer Account ⏵ LocalComputer ⏵ OK)

Screenshot of certificate import wizard

Restart Chrome and et voilà, it works.

  • With localhost:

    Screenshot of Chrome trusted security for localhost

  • Or with IP address:

    Screenshot of Chrome trusted security for 192.168.0.2

The only thing I could not achieve is that it has obsolete cipher (red square on picture). Help is appreciated on this point.

With makecert it is not possible to add SAN information. With New-SelfSignedCertificate (Powershell) you can add SAN information; that also works.

Improve this answer

Important: Run OpenSSL as administrator.
But how to run Trusted Cert Store app? This answer is not complete
25

As someone has noted, you need to restart all of Chrome, not just the browser windows. The fastest way to do this is to open a tab to...

chrome://restart

Improve this answer

Hey! Just wanted to point out that this is what fixed it for me. I was adding a custom CA to the trust store, it had always worked for me that way. I tried Firefox and worked flawlessly but not chrome. At the end it was because it seems you need to fully restart chrome as you mention. It might be that Chrome keeps using the same trust store as long as those background processes are still running.
17

  1. Add the CA certificate in the trusted root CA Store.

  2. Go to Google Chrome and enable this flag!

    chrome://flags/#allow-insecure-localhost

    At last, simply use the *.me domain or any valid domains, like *.com and *.net and maintain them in the 'hosts' file. For my local development environments, I use *.me or *.com with a 'hosts' file maintained as follows:

  3. Add to host.

    File 'C:/windows/system32/drivers/etc/hosts':

    127.0.0.1 nextwebapp.me

    Note: If the browser is already opened when doing this, the error will keep on showing. So, please close the browser and start again. Better yet, go incognito or start a new session for immediate effect.

Improve this answer

This seems to be the same as the top-voted answer.
I've only added the domain names that are allowed in local development i.e. *.me sites to the host file in Windows. People add the certificate but sometimes the host just fails to verify the SSL verification even if the certificate is installed properly. In which case, we create a new session. I've only added those tips. I've gone through this rabbit hole too deep so I wanted to make sure someone knew what to do if it was needed.
15

Are you sure the address the site is being served up as is the same as the certificate? I had the same problems with Chrome and a self-signed certificate, but in the end I found it was just incredibly picky about the validation of the domain name on the certificate (as it should be).

Chrome doesn't have its own certificate store and uses Windows' own store. However, Chrome doesn't provide any way to import certificates into the store, so you should add them via Internet Explorer instead.

Installing certificates in Google Chrome

Installing certificates in Internet Explorer

Also take a look at this for a couple of different approaches to creating self-signed certificates (I'm assuming you're using IIS as you haven't mentioned it).

How to create a self-signed certificate in IIS 7

Improve this answer

The site in question is localhost, and the CN of the certificate is "localhost". Yes, I did install the certificate in Windows's certificate store. Both IE and Chrome complain about the certificate.
Not sure if you're using IIS or Apache, but check the extra link I've just added on creating self-signed certs for IIS.
Because of the incredibly picky about the validation of the domain name on the cert part: does someone knows more about that? I have a problem (it is 2019) on Android 9 with a root certificate, which is blamed as unsecure by Google Chrome. It is OK for FF and on desktop.
"Are you sure the address the site is being served up as is the same as the certificate?" - Good question, how can I tell?
11

To create a self-signed certificates in Windows that Chrome v58 and later will trust, launch PowerShell with elevated privileges and type:

New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "fruity.local" -DnsName "fruity.local", "*.fruity.local" -FriendlyName "FruityCert" -NotAfter (Get-Date).AddYears(10)
# Notes:
#    -subject "*.fruity.local" = Sets the string subject name to the wildcard *.fruity.local
#    -DnsName "fruity.local", "*.fruity.local"
#         ^ Sets the subject alternative name to fruity.local, *.fruity.local. (Required by Chrome v58 and later)
#    -NotAfter (Get-Date).AddYears(10) = make the certificate last 10 years. Note: only works from Windows Server 2016 / Windows 10 onwards!!

Once you do this, the certificate will be saved to the Local Computer certificates under the Personal\Certificates store.

You want to copy this certificate to the Trusted Root Certification Authorities\Certificates store.

One way to do this: click the Windows start button, and type certlm.msc.

Then drag and drop the newly created certificate to the Trusted Root Certification Authorities\Certificates store per the below screenshot.

Enter image description here

Improve this answer

@mpowrie. Having generated this, how do I link it the Apache webserver? On localhost server.
Ifedi Okonkwo: I'm not sure with Apache webserver sorry, but with IIS you add a site binding of type https, include the fully qualified hostname, and select the SSL certificate.
This works like a charm. I'll say you'll need to do one additional step if you want to assign that cert as a binding...and that the cert needs to be in the Personal > Certificates as well. Dragging and dropping, for some reason, actually removed it from the Personal certs and placed it in the Trusted Certs. So make sure you copy and paste it.
9

I went down the process of using what bjnord suggested which was: Google Chrome, Mac OS X and self-signed SSL certificates

What is shown in the blog did not work.

However, one of the comments to the blog was gold:

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain site.crt

You'll need to follow the blog on how to get the certificate file, after that you can use the command above and should be good to go.

Improve this answer

Comments

9

The GUI for managing SSL certificates on Chromium on Linux did not work properly for me. However, their documentation gave the right answer. The trick was to run the command below that imports the self-signed SSL certificate. Just update the name of the <certificate-nickname> and certificate-filename.cer, then restart Chromium/Chrome.

From the documentation:

On Linux, Chromium uses the NSS Shared DB. If the built-in manager does not work for you then you can configure certificates with the NSS command line tools.

Get the tools

  • Debian/Ubuntu: sudo apt-get install libnss3-tools
  • Fedora: su -c "yum install nss-tools"
  • Gentoo: su -c "echo 'dev-libs/nss utils' >> /etc/portage/package.use && emerge dev-libs/nss" (You need to launch all commands below with the nss prefix, e.g., nsscertutil.) openSUSE: sudo zypper install mozilla-nss-tools

To trust a self-signed server certificate, we should use

certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n <certificate-nickname> -i certificate-filename.cer

List all certificates

certutil -d sql:$HOME/.pki/nssdb -L

The TRUSTARGS are three strings of zero or more alphabetic characters, separated by commas. They define how the certificate should be trusted for SSL, email, and object signing, and are explained in the certutil docs or Meena's blog post on trust flags.

Add a personal certificate and private key for SSL client authentication Use the command:

pk12util -d sql:$HOME/.pki/nssdb -i PKCS12_file.p12

to import a personal certificate and private key stored in a PKCS #12 file. The TRUSTARGS of the personal certificate will be set to “u,u,u”.

Delete a certificate certutil -d sql:$HOME/.pki/nssdb -D -n <certificate nickname>

Excerpt From: https://chromium.googlesource.com/chromium/src/+/HEAD/docs/linux_cert_management.md

Improve this answer

The chromium.googlesource.com link is broken: "NOT_FOUND: Requested entity was not found". If it works with some kind of login, it ought to be indicated in the answer.
9

For Fedora, Ubuntu, Linux, if you're getting the example.com Not a Certification authority error when adding the certificate using the GUI to add a new root authority. If you want to trust a server self signed certificate, it cannot make mention of an invalid authority... even if that's itself. I've only managed to make it work by trusting my authority and using that authorities key to sign server certificates.

Here's the self-signed CA certificate that it accepted. This is the only way that I found works to get around cert_authority_invalid. I tried for hours to get it to accept a self-signed end point certificate, but no cigar. The UI will accept self-signed authorities, as long as it's declared CA:TRUE. After that, all certificates signed by that key with the correct DN will be accepted by Chrome without needing to add them independently.

openssl req -new -x509 -extensions v3_req -days 8440 -config ca.conf -key rockstor.key -out rockstor.cert

[req]
distinguished_name=dn
req_extensions=v3_req
prompt = no

[v3_req]
basicConstraints=CA:TRUE,pathlen:0
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName=@alt_names

[alt_names]
DNS.1 = ca.tdpowerskills.com

[dn]
C = US
ST = LA
L = Alexandria
O = TDPS Certification Authority
OU = LEARNOPS
CN = ca.tdpowerskills.com

openssl req -new -x509 -extensions v3_req -days 8440 -config config.conf -key rockstor.key -out rockstor.cert

[req]
distinguished_name=dn
req_extensions=v3_req
prompt = no

[v3_req]
basicConstraints=CA:FALSE
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName=@alt_names
issuerAltName=DNS:ca.tdpowerskills.com

[alt_names]
DNS.1 = big.tdps.app

[dn]
C = US
ST = LA
L = Alexandria
O = TDPS Certification Authority
OU = LEARNOPS
CN = ca.tdpowerskills.com

If that doesn't work:

  • chrome://restart to actually restart

  • Try to get more details on the error using Firefox. It tends to explain errors better. While Chrome will say: ERR_CERTIFICATE_INVALID, Firefox will throw: MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY.

  • Remember that Chrome now requires Subject Alternative Name and nearly ignores CN.

For others:

  • certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n <nickname> -i <my.crt> for server certificates

  • certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n <nickname> -i <my.crt> for CAs

  • For Firefox, the UI adding an exception certificate does work, and it will trust it once you do that.

  • Perhaps you have funky settings in /etc/pki/tls/openssl.cnf which get merged with your configuration.

  • perhaps you're not adding an extension to the configuration or command line, such as v3_req

  • Note, my method bypasses the need for a CSR by just signing the certificates with the authority key and adding details for the development servers. CSRs allow more keys for actual security.

  • I tried everything, but Chrome requires an authority with basicconstraints CA:true set. And server certificates must all be singed by a valid Authority, even if that's just another certificate that the signed themselves with CA:true.

Improve this answer

Comments

8

Allowing an insecure localhost works fine via this method: chrome://flags/#allow-insecure-localhost

It is just that you need to create your development hostname to xxx.localhost.

Improve this answer

Comments

7

This worked for me. See: http://www.robpeck.com/2010/10/google-chrome-mac-os-x-and-self-signed-ssl-certificates/#.Vcy8_ZNVhBc

In the address bar, click the little lock with the X. This will bring up a small information screen. Click the button that says "Certificate Information."

Click and drag the image to your desktop. It looks like a little certificate.

Double-click it. This will bring up the Keychain Access utility. Enter your password to unlock it.

Be sure you add the certificate to the System keychain, not the login keychain. Click "Always Trust," even though this doesn't seem to do anything.

After it has been added, double-click it. You may have to authenticate again.

Expand the "Trust" section.

"When using this certificate," set to "Always Trust"

Improve this answer

This seems to work! You may need to restart your browser at the end.
The www.rebeccapeck.org link is broken.
7 
mkdir CA
openssl genrsa -aes256 -out CA/rootCA.key 4096
openssl req -x509 -new -nodes -key CA/rootCA.key -sha256 -days 1024 -out CA/rootCA.crt

openssl req -new -nodes -keyout example.com.key -out domain.csr -days 3650 -subj "/C=US/L=Some/O=Acme, Inc./CN=example.com"
openssl x509 -req -days 3650 -sha256 -in domain.csr -CA CA/rootCA.crt -CAkey CA/rootCA.key -CAcreateserial -out example.com.crt -extensions v3_ca -extfile <(
cat <<-EOF
[ v3_ca ]
subjectAltName = DNS:example.com
EOF
)
Improve this answer

How does one use the generated files? I understand how to use the domain .crt and .key files but what is the .csr file for? And how do I use the rootCA.* files? Please expand on your answer...
Where was this tested? Linux? What distribution? What version?
7

As of March 2020, on MacOS Catalina using Chrome 81, this has changed once you create a valid certificate using openssl as outlined above.

First, I browsed to my site using Safari and clicked on the link at the bottom of the the warning page that allows me to Access the Site Anyway. This added the certificate to my Mac Keychain (ie Keychain.app). Safari then would let me view the page. Chrome showed that the certificate was trusted, but wouldn't let me view the page. I continued to get the CERTIFICATE_INVALID error.

In Keychain, select All Items in the pane on the bottom left. Then search for your localhost DNS name (ie myhost.example.com).

Double click on your certificate. It’ll open an edit dialog for your cert.

Change "When using this Certificate" to "Always Trust"

This was totally counterintuitive because SSL was already set to Always Trust, presumably by Safari when the cert was added. Chrome only started working once I changed it globally to Always Trust. When I changed it back, it stopped working.

Improve this answer

Comments

7

June 2021 - Windows 10 - Chrome v91 (SIMPLE)

Follow the cert generation instructions from selfsignedcertificate.com:

Example domain name: mydomain.local, replace it with your domain name.

  1. To generate a key:

    openssl genrsa -out mydomain.local.key 2048

  2. Create the config file mydomain.local.conf with only the following content:

    [req]
distinguished_name=req
[SAN]
subjectAltName=DNS:mydomain.local

    Note: In subcjectAltName you can define more domains (optional), like:

    subjectAltName=DNS:mydomain.local, DNS:*.mydomain.local, DNS:otherdomain.local, IP:192.168.1.10

  3. Create the certificate:

    openssl req -new -x509 -key mydomain.local.key -out mydomain.local.crt -days 3650 -subj /CN=mydomain.local -extensions SAN -config mydomain.local.conf

  4. Add the Cert to Trusted Root Certification Authorities

    • Right click the mydomain.local.crt file
    • Select Install Certificate from the context menu.
    • Choose Local Machine in the popup.
    • Choose Place all certificates in the following store.
    • Click Browse.
    • Choose Trusted Root Certification Authorities.
    • Click Ok, Next, Finish.
    • Restart Chrome.
Improve this answer

This looked promising (and serverfault.com/a/1017093/119666 was helpful), but it didn't work for me. In Brave (which is basically Chrome), I still get: NET::ERR_CERT_AUTHORITY_INVALID Subject: sslip.io Issuer: sslip.io
7

For Chrome on macOS, if you have prepared a certificate:

  • Quit Chrome (cmd+Q).
  • Start the Keychain Access app and open the "Certificates" category.
  • Drag your certificate file onto the Keychain Access window and type the password for the certificate file.
  • Double click on your certificate and unfold the "Trust" list.
    • In row "When using this certificate," choose "Always Trust."
    • Close this stuff and type your password.
  • Start Chrome and clear all caches.
  • Check that everything is OK.
Improve this answer

Comments

6

When clicking the little crossed out lock icon next to the URL, you'll get a box looking like this:

enter image description here

After clicking the Certificate information link, you'll see the following dialog:

enter image description here

It tells you which certificate store is the correct one, it's the Trusted Root Certification Authorities store.

You can either use one of the methods outlined in the other answers to add the certificate to that store or use:

certutil -addstore -user "ROOT" cert.pem
  • ROOT is the internal name of the certificate store mentioned earlier.
  • cert.pem is the name of your self-signed certificate.
Improve this answer

certutil -addstore -user "ROOT" cert.pem is Windows?
@Pacerier: Correct, it's for Windows.
You mave have it in Trusted Root Certification Authorities but still issue remains: imgur.com/a/mjlglVz imgur.com/a/n8BFH5S Windows 10, chrome 78
6

I was experiencing the same issue: I had installed the certificate in to Windows' Trusted Root Authorities store, and Chrome still refused the certificate, with the error ERR_CERT_COMMON_NAME_INVALID. Note that when the certificate is not properly installed in the store, the error is ERR_CERT_AUTHORITY_INVALID.

As hinted by the name of the error, this comment, and this question, the problem was lying in the declared domain name in the certificate. When prompted for the "Common Name" while generating the certificate, I had to enter the domain name I was using to access the site (localhost in my case). I restarted Chrome using chrome://restart and it was finally happy with this new certificate.

Improve this answer

I am also using localhost but chrome is not happy about it imgur.com/a/mjlglVz Windows 10, Chrome 78. I followed instruction from here: stackoverflow.com/a/44398368/4983983 I access the page via localhost
using common name "localhost" almost worked, and then finally it did work when I also launched chrome with option --allow-insecure-localhost
6

As of Chrome 58+ I started getting certificate error on macOS due missing SAN. Here is how to get the green lock on address bar again.

  1. Generate a new certificate with the following command:

    openssl req \
  -newkey rsa:2048 \
  -x509 \
  -nodes \
  -keyout server.key \
  -new \
  -out server.crt \
  -subj /CN=*.domain.dev \
  -reqexts SAN \
  -extensions SAN \
  -config <(cat /System/Library/OpenSSL/openssl.cnf \
      <(printf '[SAN]\nsubjectAltName=DNS:*.domain.dev')) \
  -sha256 \
  -days 720

  2. Import the server.crt into your KeyChain, then double click in the certificate, expand the Trust, and select Always Trust

Refresh the page https://domain.dev in Google Chrome, so the green lock is back.

Improve this answer

This works for subdomains api.domain.dev but I still have a warning page on domain.dev: This server could not prove that it is domain.dev; its security certificate is from *.domain.dev. This may be caused by a misconfiguration or an attacker intercepting your connection. Any idea?
1
2

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.