Add --enable/disable-features=ChromeRootStoreUsed flag

[tumatanquang]

Since Chrome 105, they launched a feature called Chrome Root Store and Certificate Verifier, which is used to verify certificates independently instead of verifying by the operating system.

This feature will not trust all self-signed certificates, even if they have been added to the Trusted Root Certification Authorities store.

And also according to this article, adding the --enable-features=ChromeRootStoreUsed / --disable-features=ChromeRootStoreUsed flag when starting Chrome will enable (default) / disable this feature.

[paulirish]

@tumatanquang Thanks! Appreciate it!

Just so I'm sure I understand... you use --disable-features=ChromeRootStoreUsed when serving self-signed certs?

[tumatanquang]

@paulirish Chrome versions < 105 use platform certificate verification, meaning that any certificate that only needs to be added to the Trusted Root Certification Authorities store will be trusted when accessing HTTPS.

But from Chrome version 105 onwards, they have Chrome Root Store and Certificate Verifier instead of platform certificate verifier. This means that all certificates (not just self-signed certificates) that are not in the Chrome Root Store will receive a Your connection is not private warning that includes a message that reads NET::ERR_CERT_AUTHORITY_INVALID.

The flag --enable-features=ChromeRootStoreUsed has the function of enabling the use of Chrome Root Store and Certificate Verifier. However, this functionality is enabled by default, so this flag is not needed.

Conversely, the flag --disable-features=ChromeRootStoreUsed simply means that it will disable the use of Chrome Root Store and Certificate Verifier, reverting to the use of platform certificate verifiers. This is useful for those who want to use self-signed certificates or whose certificate provider has not been/is not included in the Chrome Root Store.