I have an nginx installation and a self-signed CA against which I want my users to authenticate with client certificates signed by this CA.
Things work perfectly in Linux with both Firefox and Chrome. On Windows 10, Firefox works fine. So I know it is not a misconfiguration of the server, the system clock or the certificates themselves.
I import the certificates by running certmgr.msc. I store the client certificate in the "Personal" store and the CA's certificate in "Trusted Root Certification Authorities". I then restart chrome via chrome://restart
and have even restarted Windows to no avail.
After I get the (expected) warning about the server certificate authenticity not being verified, in linux and on Firefox in Windows I am given the option to "Proceed anyway". On Windows Chrome and IE I am given no such option. Chrome presents the following screen:
I am using Chrome v56 (64bit)
Is there any way around this problem that I am unaware of? Why has Chrome taken away the option to proceed anyway on windows but the option still exists on other OSs?
EDIT
On MacOS, Chrome behaves like on Linux. After importing the certificates in the user's keychain I am presented with the same warning and the option to "Proceed anyway".
I do not know if this is a Chrome issue or if it is some security restriction that Windows enforces but I find it extremely impractical and annoying.
Best Answer
If anyone has the same problem, here is the solution and it should work on Windows 7, 8 and 10.
Create a windows management console file.
Start -> Run -> mmc.exe
In the console window:
File -> Add/Remove Snap-in...
Choose
Certificates
snap-in and choose to manage certificates forMy user account
in the next window.Back in the
Add or Remove Snap-ins
dialog, choose Group Policy Object Editor and Add it to the Console Root. LeaveGroup Policy Object
set toLocalComputer
in the next dialog and click Finish.Click OK to leave the
Add or Remove Snap-ins
dialog.At this point you should be looking at a Console window like this:
Now, import your certificates.
Expand the
Certificates
snap-in and click toPersonal
. Then right-click on the middle pane and chooseAll Tasks -> Import...
. The Certificate Import Wizard will appear. Just import your user's certificate without changing any of the default settings.Expand the
Trusted Root Certification Authorities
and click onCertificates
. Again, click on the middle pane and chooseAll Tasks -> Import...
. Import your CA's certificate without changing any of the default settings.Now to the interesting part...
Back to the
Console Root
, navigate underLocal Computer Policy
snap-in toComputer Configuration
->Windows Settings
->Security Settings
->Public Key Policies
. You should see a window like this:Double click on
Certificate Path Validation Settings
. CheckDefine these policy settings
and select the settings as in the picture below.Then, click on
Select Certificate Purposes
and make sure your intended purposes are included (Client Authentication and Server Authentication were the ones I needed.). ClickApply
and close the Console window. You will be asked if you want to save your settings. You may choose to do so if you want to save your configuration for others to re-use.Make sure to restart Chrome or IE in order for the changes to take effect.