According to this you apparently have to open the certificate and set “When using this certificate” to “Always Trust” and also restart Chrome, in addition to what you mentioned having done.
By the way, https://shiing.com/ works as expected with Opera/Gentoo from here.
By definition, a self-signed certificate can be trusted only through direct trust, i.e. what Web browsers like Firefox show as the "allow exception" process. One very specific certificate, down to the last bit, is declared as "trusted". Nothing can be changed in a certificate without exiting from this model, and, in particular, the expiry date, which is part of the data contained in the certificate.
You can imagine renewal as a kind of family thing: when a certificate is "renewed", it is actually replaced by a younger sibling. Clients accept the new certificate silently because it shares the same ancestry as the previous certificate. Self-signed certificates are intrinsic orphans: they have no ancestry. Hence, no sibling, and no automatic transmission.
(Apart from this ancestry thing, renewal is the creation of a new certificate. Certificates are immutable. "Renewal" is a way of thinking about the relationship between the old and the new certificates.)
If you want to be able to do silent renewals, then you need a self-signed CA certificate. You emit certificates for your server(s) from that CA, and you ask your clients to trust that CA. Of course this is asking a lot: a CA that you trust is a CA that can fake the whole Internet in your eyes. Basically, this solution is about creating and maintaining your own CA, which is a responsibility and some work.
Next time you produce a self-signed certificate, make it long-lived. Certificates expire mostly in order to make revocation work (certificate expiry prevents CRL from growing indefinitely). For a self-signed certificate, there is no revocation, so you can make the certificate valid for 20 years. Or for 2000 years, for that matter (although the Year 2038 Problem might show up at some point, depending on the client software).
Best Answer
I did not know about this option before today, but it appears that Chrome does have a flag for allowing insecure certificates from the
localhost
origin. This option is available from thechrome://flags/#allow-insecure-localhost
page:This will only help you for self-signed certificates on the
localhost
origin, and I have not tested it to see if it actually fixes your problem with the password manager, but it looks promising.