I have an nginx installation and a self-signed CA against which I want my users to authenticate with client certificates signed by this CA.

Things work perfectly in Linux with both Firefox and Chrome. On Windows 10, Firefox works fine. So I know it is not a misconfiguration of the server, the system clock or the certificates themselves.

I import the certificates by running certmgr.msc. I store the client certificate in the "Personal" store and the CA's certificate in "Trusted Root Certification Authorities". I then restart chrome via chrome://restart and have even restarted Windows to no avail.

After I get the (expected) warning about the server certificate authenticity not being verified, in linux and on Firefox in Windows I am given the option to "Proceed anyway". On Windows Chrome and IE I am given no such option. Chrome presents the following screen:

enter image description here

I am using Chrome v56 (64bit)

Is there any way around this problem that I am unaware of? Why has Chrome taken away the option to proceed anyway on windows but the option still exists on other OSs?

EDIT

On MacOS, Chrome behaves like on Linux. After importing the certificates in the user's keychain I am presented with the same warning and the option to "Proceed anyway".

I do not know if this is a Chrome issue or if it is some security restriction that Windows enforces but I find it extremely impractical and annoying.

up vote 1 down vote accepted

If anyone has the same problem, here is the solution and it should work on Windows 7, 8 and 10.

  1. Create a windows management console file. Start -> Run -> mmc.exe

  2. In the console window: File -> Add/Remove Snap-in...

  3. Choose Certificates snap-in and choose to manage certificates for My user account in the next window.

  4. Back in the Add or Remove Snap-ins dialog, choose Group Policy Object Editor and Add it to the Console Root. Leave Group Policy Object set to LocalComputer in the next dialog and click Finish.

  5. Click OK to leave the Add or Remove Snap-ins dialog.

At this point you should be looking at a Console window like this:

enter image description here

Now, import your certificates.

  1. Expand the Certificates snap-in and click to Personal. Then right-click on the middle pane and choose All Tasks -> Import.... The Certificate Import Wizard will appear. Just import your user's certificate without changing any of the default settings.

  2. Expand the Trusted Root Certification Authorities and click on Certificates. Again, click on the middle pane and choose All Tasks -> Import.... Import your CA's certificate without changing any of the default settings.

Now to the interesting part...

Back to the Console Root, navigate under Local Computer Policy snap-in to Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policies. You should see a window like this:

enter image description here

Double click on Certificate Path Validation Settings. Check Define these policy settings and select the settings as in the picture below.

enter image description here

Then, click on Select Certificate Purposes and make sure your intended purposes are included (Client Authentication and Server Authentication were the ones I needed.). Click Apply and close the Console window. You will be asked if you want to save your settings. You may choose to do so if you want to save your configuration for others to re-use.

Make sure to restart Chrome or IE in order for the changes to take effect.

Your Answer

By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

Not the answer you're looking for? Browse other questions tagged or ask your own question.