Accessing Websites with Self-Signed Certificates on Chrome

Google now requires all browser extensions to support Manifest V3 and is actively disabling those that still use Manifest V2. Manifest V3 enforces stronger validation processes around certificate validation. However, due to a bug in Chrome's implementation of this validation for extensions, it is currently rejecting all self-signed certificates.

For more information about this bug, see Chromium Issue Tracker.

Below, you will find some differences in how Web Password Filler handled websites with self-signed certificates on Manifest V2 compared to how it will handle them in Manifest V3.

Working With Self-Signed Certificates on Manifest V2

When you use Web Password Filler with Secret Server URLs that have self-signed certificates, it will load the self-signed URLs (e.g. local sites like ('https://localhost/somesite') You will then encounter an error and be redirected to the same URL in another tab. This new tab will display the following error: net::Err_CERT_COMMON_NAME_INVALID. If you accept the certificate through WPF, the extension will proceed further.

You can reproduce this error by following these steps:

  1. Load local sites ('https://localhost/somesite').

  2. You will encounter the certificate error displayed below:

    alt

  3. After you click Continue, you will be redirected to another tab where you will see the following error message: net::Err_CERT_COMMON_NAME_INVALID

    alt

  4. After you click Advanced WPF will accept the self-singed certificate, allowing the extension to proceed further.

Working With Self-Signed Certificates on Manifest V3

With Secret Server URLs that have self-signed certificates, Web Password Filler:

  1. Loads the self-signed URLs (e.g. local sites like 'https://localhost/somesite').
  2. Displays an error in the extension and redirects you to the same URL in another tab.
  3. Shows the following error on the new tab: net::Err_CERT_COMMON_NAME_INVALID
  4. Continues to display the same error even if it accepts the certificate.
  5. Cannot make any API calls to Secret Server.
  6. The extension cannot proceed further

To workaround the self-signed certificate issue in Manifest V3, you need to set up a local CA and install the CA root certificate as a trusted certificate authority on your computer. Then, create a certificate using the CA and install that certificate on your Secret Server nodes.