Trusting a self-signed certificate


#1

Hi there,

I’m trying to build an atom-shell application that runs an HTTPS server with a self-signed certificate, then embeds that as an iframe. However, this doesn’t work out of the box because the certificate authority is not trusted, so the browser engine refuses not load the page.

One way to fix this is to add my custom certificate authority to my operating system keystore, but I don’t want to do this. Instead, I’d like to do this at the application-level… is there a way to tell my atom-shell application to trust my custom root CA?

Thanks!


#2

There is --ignore-certificate-errors flag in Chromium. One thing to know is that Chromium doesn’t allow cache on sites with invalid certs, but a patch could be applied to fix that.


#3

You’re right, I also found the --ignore-certificate-errors Chromium flag, but I see two problems with using it:

  1. It doesn’t actually work, this flag is not passed from atom-shell down to the Chromium engine.
  2. Allowing access from ALL untrusted sources is a bit more dangerous than allowing access to JUST my custom CA.

#4

I was running through the issues with this as a thought experiment for something and immediately came upon this as one of the top Google search results. Has this been resolved? Can we register a custom CA for just the application without trusting all invalid certificates?