Windows – Unable to use client certificates in Chrome or IE on Windows 10

certificategoogle-chromesslwindows 10

I have an nginx installation and a self-signed CA against which I want my users to authenticate with client certificates signed by this CA.

Things work perfectly in Linux with both Firefox and Chrome. On Windows 10, Firefox works fine. So I know it is not a misconfiguration of the server, the system clock or the certificates themselves.

I import the certificates by running certmgr.msc. I store the client certificate in the "Personal" store and the CA's certificate in "Trusted Root Certification Authorities". I then restart chrome via chrome://restart and have even restarted Windows to no avail.

After I get the (expected) warning about the server certificate authenticity not being verified, in linux and on Firefox in Windows I am given the option to "Proceed anyway". On Windows Chrome and IE I am given no such option. Chrome presents the following screen:

I am using Chrome v56 (64bit)

Is there any way around this problem that I am unaware of? Why has Chrome taken away the option to proceed anyway on windows but the option still exists on other OSs?

EDIT

On MacOS, Chrome behaves like on Linux. After importing the certificates in the user's keychain I am presented with the same warning and the option to "Proceed anyway".

I do not know if this is a Chrome issue or if it is some security restriction that Windows enforces but I find it extremely impractical and annoying.

Best Answer

If anyone has the same problem, here is the solution and it should work on Windows 7, 8 and 10.

Create a windows management console file. Start -> Run -> mmc.exe
In the console window: File -> Add/Remove Snap-in...
Choose Certificates snap-in and choose to manage certificates for My user account in the next window.
Back in the Add or Remove Snap-ins dialog, choose Group Policy Object Editor and Add it to the Console Root. Leave Group Policy Object set to LocalComputer in the next dialog and click Finish.
Click OK to leave the Add or Remove Snap-ins dialog.

At this point you should be looking at a Console window like this:

Now, import your certificates.

Expand the Certificates snap-in and click to Personal. Then right-click on the middle pane and choose All Tasks -> Import.... The Certificate Import Wizard will appear. Just import your user's certificate without changing any of the default settings.
Expand the Trusted Root Certification Authorities and click on Certificates. Again, click on the middle pane and choose All Tasks -> Import.... Import your CA's certificate without changing any of the default settings.

Now to the interesting part...

Back to the Console Root, navigate under Local Computer Policy snap-in to Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policies. You should see a window like this:

Double click on Certificate Path Validation Settings. Check Define these policy settings and select the settings as in the picture below.

Then, click on Select Certificate Purposes and make sure your intended purposes are included (Client Authentication and Server Authentication were the ones I needed.). Click Apply and close the Console window. You will be asked if you want to save your settings. You may choose to do so if you want to save your configuration for others to re-use.

Make sure to restart Chrome or IE in order for the changes to take effect.

Best Answer

Related Solutions

Google-chrome – how do i get chrome to remember self-signed certificates

Windows – How to view Current User Certificates, and not Local Machine Certificates, on Windows

Related Question