How to force Chrome to save passwords on self-signed or broken SSL?

Question

I have searched for a way to do this and never found a good answer, though there have been tickets created in the past (#142818 & #405549).

Apparently, the chromium devs never created a chrome://flags override for "broken" SSL with password saving. This would seem to be the easiest way to fix this annoying "feature" (via flags). I DO understand completely why they block it by default.

Has anyone been able to get this to work? I can live with the warning - just not the lack of password saving. I spend most of my workday in a admin/dev environment and need to keep re-entering passwords dozens of times a day (copy/paste).

EDIT (20 Feb 2023)
Please note Firefox DOES save and offer a password once you get past the warning/exempt site page. This Question is strictly in regards to Chrome. There is still no way to allow this similar to Firefox as far as I know (via flags or an exempt sites 'list').

Answer 1

I did not know about this option before today, but it appears that Chrome does have a flag for allowing insecure certificates from the localhost origin. This option is available from the chrome://flags/#allow-insecure-localhost page:

This will only help you for self-signed certificates on the localhost origin, and I have not tested it to see if it actually fixes your problem with the password manager, but it looks promising.

Answer 2

Alternatively, you can start Chrome with a command line switch --unsafely-treat-insecure-origin-as-secure="http://example.com" or go to chrome://flags/#unsafely-treat-insecure-origin-as-secure and enter your unsafe origin, e.g. http://example.com.

Answer 3

Navigate to chrome://flags/#allow-insecure-localhost.

Then click "Enable".

Just be extremely wary that this is a major security flaw.

Edit: Linking to chrome://flags/ no longer works due to the fact that Chrome no longer allows hyperlinks to the Chrome protocol due to security regarding the use of url encoding in hyperlinks to the protocol. Certain url-encoded strings would crash older versions of Chrome. Rather than fixing this issue, they completely eliminated the option for hyperlinks. So just navigate to that location by copying and pasting the link.

Answer 4

You just have to create an entry manually in the password manager, specifying the exact base URL you're using, the username and password. Reload the page, start writing the username, and the password dropdown will appear.

Answer 5

i suggest you to use macro (iMacros) instead break the security default of chrome and that's better to protect you from virus

edit:

• download iMacros chrome extension
• install it
• create chrome new tab
• open i macros
• then move To record section and press record
• at new tab go to login page
• fill your username and password
• press login
• then stop record and save page

and voila now you can play your recorded macro in bookmark section to login effortlessly

Answer 6

None of these worked for me, I ended up following a combination of the powershell answers from here adding the -NotAfter flag as well, slightly modified to use copy and paste from comments instead of exporting the cert. Once I had all this working for the correct domains, chrome stopped saying the cert was invalid and prompted to save password.

To Create the new certificate for your specific domain:

Open Powershell ISE as admin, run the command:

New-SelfSignedCertificate -DnsName *.mydomain.com, localhost -CertStoreLocation cert:\LocalMachine\My

To trust the new certificate:

• Open mmc.exe
• Go to Console Root -> Certificates (Local Computer) -> Personal
• Select the certificate you have created, copy
• Go to Console Root -> Certificates -> Trusted Root Certification Authorities, paste

To bind the certificate to your site:

• Open IIS Manager
• Select your site and choose Edit Site -> Bindings in the right pane
• Add new https binding with the correct hostname and the new certificate

Answer 7

chrome://flags/#legacy-tls-enforced

Whit this chrome flag set to disabled chrome ignore security enforcement and enable password manager on tls 1.0 sites too.