Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add --enable/disable-features=ChromeRootStoreUsed flag #330

Open
tumatanquang opened this issue May 18, 2024 · 2 comments
Open

Add --enable/disable-features=ChromeRootStoreUsed flag #330

tumatanquang opened this issue May 18, 2024 · 2 comments

Comments

@tumatanquang
Copy link

Since Chrome 105, they launched a feature called Chrome Root Store and Certificate Verifier, which is used to verify certificates independently instead of verifying by the operating system.

This feature will not trust all self-signed certificates, even if they have been added to the Trusted Root Certification Authorities store.

And also according to this article, adding the --enable-features=ChromeRootStoreUsed / --disable-features=ChromeRootStoreUsed flag when starting Chrome will enable (default) / disable this feature.

@paulirish
Copy link
Member

@tumatanquang Thanks! Appreciate it!

Just so I'm sure I understand... you use --disable-features=ChromeRootStoreUsed when serving self-signed certs?

@tumatanquang
Copy link
Author

@paulirish Chrome versions < 105 use platform certificate verification, meaning that any certificate that only needs to be added to the Trusted Root Certification Authorities store will be trusted when accessing HTTPS.

But from Chrome version 105 onwards, they have Chrome Root Store and Certificate Verifier instead of platform certificate verifier. This means that all certificates (not just self-signed certificates) that are not in the Chrome Root Store will receive a Your connection is not private warning that includes a message that reads NET::ERR_CERT_AUTHORITY_INVALID.

The flag --enable-features=ChromeRootStoreUsed has the function of enabling the use of Chrome Root Store and Certificate Verifier. However, this functionality is enabled by default, so this flag is not needed.

Conversely, the flag --disable-features=ChromeRootStoreUsed simply means that it will disable the use of Chrome Root Store and Certificate Verifier, reverting to the use of platform certificate verifiers. This is useful for those who want to use self-signed certificates or whose certificate provider has not been/is not included in the Chrome Root Store.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants