How to make Chrome accept a self-signed localhost certificate?
I have created a self-signed SSL certificate for localhost with the Common Name (CN). Firefox accepts this certificate after initially showing a warning, as expected. However, Chrome and Internet Explorer refuse to accept it, even after adding the certificate to the system certificate store under Trusted Roots. Despite the certificate appearing correctly installed when I click “View certificate information” in Chrome’s HTTPS popup, Chrome still indicates that the certificate cannot be trusted.
What steps do I need to take to configure Chrome to accept my self-signed localhost certificate and stop showing security warnings?
Chrome can be configured to accept self-signed localhost certificates by importing the certificate directly into Chrome’s trusted certificate store rather than just the system store, or by using specific Chrome flags to bypass certificate validation during development. The most reliable method involves installing the certificate in Chrome’s certificate settings through the advanced security settings or using the --ignore-certificate-errors command line flag for temporary development purposes.
Contents
- Understanding the Chrome Certificate Issue
- Method 1: Install Certificate Directly in Chrome
- Method 2: Use Chrome Command Line Flags
- Method 3: Import Certificate into Chrome’s Certificate Store
- Method 4: Use Chrome Flags for Development
- Method 5: Create a Certificate Authority and Install it System-wide
- Troubleshooting Common Issues
- Recommended Development Workflow
Understanding the Chrome Certificate Issue
Chrome has stricter certificate validation compared to other browsers like Firefox. When you add a self-signed certificate to the Windows Trusted Root Certification Authorities store, Chrome may still reject it because:
- Chrome maintains its own certificate store separate from the system store
- Chrome performs additional validation checks including certificate revocation status
- Chrome may not recognize certificates that don’t have the proper extensions for server authentication
The key difference is that Firefox trusts the system certificate store by default, while Chrome performs its own validation. This is why your certificate works in Firefox but not in Chrome, even though it appears correctly installed in the Windows certificate store.
Method 1: Install Certificate Directly in Chrome
This is the most direct method to make Chrome trust your self-signed certificate:
- Open Chrome and access your HTTPS site - Navigate to
https://localhostor your local development URL - Click the padlock icon in the address bar next to the URL
- Click “Certificate is not valid” or similar warning text
- Click “Connection is secure” → “Certificate is valid” → “Details”
- Click “Copy to File” in the Certificate dialog
- Choose “Base-64 encoded X.509 (.CER)” format
- Save the certificate file to your desktop
- Close the certificate dialog and return to Chrome
- Click the three-dot menu → “Settings” → “Privacy and security” → “Security”
- Click “Manage certificates”
- In the “Trusted Root Certification Authorities” tab, click “Import”
- Browse to and select the certificate file you saved
- Complete the import wizard, ensuring you select “Place all certificates in the following store” and choose “Trusted Root Certification Authorities”
This method ensures Chrome specifically trusts your certificate by adding it to its own trusted certificate store.
Method 2: Use Chrome Command Line Flags
For temporary development purposes, you can start Chrome with flags that bypass certificate validation:
- Close all Chrome instances
- Press Windows Key + R to open the Run dialog
- Type
chrome.exefollowed by the appropriate flags:--ignore-certificate-errors- Ignores all certificate errors--ignore-certifcate-errors-spki-list- Ignores certificate errors for specific SPKI hashes--allow-running-insecure-content- Allows mixed content--unsafely-treat-insecure-origin-as-secure=localhost:8443- Treats specific insecure origins as secure
Example command:
chrome.exe --ignore-certificate-errors --allow-running-insecure-content
- Create a shortcut for easy access:
- Right-click on Chrome → More tools → Create shortcut
- Right-click the new shortcut → Properties
- Add the flags to the “Target” field after
chrome.exe
Note: This method is not recommended for production use as it bypasses all security checks.
Method 3: Import Certificate into Chrome’s Certificate Store
Chrome maintains its own certificate stores that are separate from the Windows system store:
-
Export your certificate from the Windows certificate store to a .pem or .crt file
-
Open Chrome and navigate to
chrome://settings/certificates -
Click the “Authorities” tab (for root certificates) or “Other People” tab (for end entity certificates)
-
Click “Import”
-
Browse to your certificate file and select it
-
Choose the appropriate store when prompted:
- For self-signed root certificates: “Trusted Root Certification Authorities”
- For server certificates: “Intermediate Certification Authorities” or “Other People”
-
Complete the import process
Chrome will now trust certificates issued by your self-signed certificate authority.
Method 4: Use Chrome Flags for Development
Chrome has experimental flags that can help with development certificates:
- Type
chrome://flagsin the Chrome address bar - Search for “allow-insecure-localhost”
- Enable the flag “Allow invalid certificates for resources loaded from localhost”
- Relaunch Chrome when prompted
This flag specifically allows Chrome to accept invalid certificates from localhost, which is exactly what you need for development with self-signed certificates.
Alternative flags to try:
#allow-insecure-localhost- Allows invalid certificates on localhost#allow-running-insecure-content- Allows mixed content#ignore-certificate-errors-spki-list- Add your certificate’s SPKI hash here
Method 5: Create a Certificate Authority and Install it System-wide
For a more robust solution, create your own Certificate Authority and install it as a trusted root:
-
Create a Certificate Authority using OpenSSL or similar tool:
bashopenssl req -x509 -newkey rsa:4096 -keyout ca-key.pem -out ca-cert.pem -days 365 -nodes
-
Create your localhost certificate signed by this CA:
bashopenssl req -newkey rsa:2048 -nodes -keyout server-key.pem -out server-req.pem openssl x509 -req -in server-req.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -days 365 -
Install the CA certificate in the Windows Trusted Root store:
- Double-click the
ca-cert.pemfile - Click “Install Certificate”
- Choose “Local Machine” and “Trusted Root Certification Authorities”
- Complete the installation
- Double-click the
-
Install the CA certificate in Chrome’s certificate store (as described in Method 3)
This approach ensures that all certificates signed by your CA will be trusted by both Windows and Chrome.
Troubleshooting Common Issues
Certificate Still Not Trusted:
- Verify the certificate is installed in Chrome’s certificate store, not just Windows
- Check that the certificate has the Server Authentication EKU extension
- Ensure the Common Name (CN) exactly matches your localhost domain
Mixed Content Warnings:
- Use the
--allow-running-insecure-contentflag - Ensure all resources are loaded over HTTPS or use relative URLs
- Check for hardcoded HTTP URLs in your code
Certificate Revocation Issues:
- Chrome may attempt to check certificate revocation status
- Use the
--ignore-certificate-errors-spki-listflag with your certificate’s SPKI hash - Or temporarily disable network connectivity during testing
Chrome Version Differences:
- Chrome 58+ has stricter certificate validation
- Earlier versions may be more lenient with self-signed certificates
- Consider using Chrome Beta for testing if stable version has issues
Recommended Development Workflow
For optimal development experience with self-signed certificates:
-
Create a development Certificate Authority as described in Method 5
-
Install the CA certificate in both Windows Trusted Root store and Chrome
-
Use Chrome’s “Allow invalid certificates for resources loaded from localhost” flag
-
Create Chrome shortcuts with development flags for quick access
-
Consider using tools like mkcert which automate this process:
bashnpm install -g mkcert mkcert -install mkcert localhost 127.0.0.1 ::1
-
For team development, distribute the CA certificate and ensure all developers install it
-
Regularly rotate certificates to maintain security during development
This workflow provides a balance between security and convenience, allowing you to develop with HTTPS while maintaining Chrome’s security features for production browsing.
Sources
- Google Chrome Help - Certificate errors
- OpenSSL Documentation - Creating Certificates
- mkcert - Simple tool for making locally trusted development certificates
- Chrome Flags Documentation
- Windows Certificate Store Management
Conclusion
Making Chrome accept self-signed localhost certificates requires understanding Chrome’s certificate validation system and using the appropriate installation method. The most reliable approaches include installing the certificate directly in Chrome’s certificate store or creating a development Certificate Authority that Chrome trusts. For temporary development needs, Chrome’s command line flags provide quick solutions but should be used cautiously. By following the methods outlined above, you can eliminate security warnings in Chrome while maintaining secure browsing practices for other websites. For ongoing development projects, consider using automated tools like mkcert to simplify certificate management and ensure consistent behavior across development environments.