Skip to Content

If you are using Google Chrome and SAP Passport and you are tired of constantly selecting certificates while browsing SAP sites I have something for you. The following procedure has been tested on Windows 8.1 Enterprise and Chrome 30÷37, but should work on Windows 7/8 as well as other Chrome versions:

  1. Download and extract Chrome policy templates from here: http://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip
  2. Start the Local Group Policy Editor: Start > Run > gpedit.msc > OK
  3. Right-click on Computer Policy > Computer Configuration > Administrative Templates and choose Add/Remove Templates…
  4. Click Add…, choose policy_templates\windows\adm\en-US\chrome.adm (from the already downloaded and extracted policy templates) and click Open (Note: if your Windows language is different from en-US choose the chrome.adm from the respective language folder)
  5. Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > Google > Google Chrome > Content Settings
  6. Double-click on Automatically select client certificates for these sites
  7. Click Enabled
  8. Click Show… in the Options pane
  9. Consecutively add the following lines:

    {“pattern”:”https://[*.]sap.corp“,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}

    {“pattern”:”https://[*.]sap.com“,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}

    {“pattern”:”https://[*.]sap-ag.de“,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}

  10. Click OK
  11. Re-launch Chrome
  12. Done. No more annoying pop-ups!


If you’re on a Mac you’ll have to create/edit file /Library/Preferences/com.google.Chrome.plist and insert the following code (extend it for more server addresses):

<plist version=”1.0″>

<dict>

  <key>AutoSelectCertificateForUrls</key>

   <array>

     <string>{“pattern”:”[*.]sap.corp”,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}</string>

     <string>{“pattern”:”[*.]sap.com”,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}</string>

     <string>{“pattern”:”[*.]sap-ag.de”,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}</string>

   </array>

</dict>

</plist>

Note: for some users (SAP employees and not partners/clients) the issuer should be SSO_CA instead of SAP Passport CA


Special thanks to Steffen Froehlich and Boris Tsirulnik for their contribution to this post!

To report this post you need to login first.

47 Comments

You must be Logged on to comment or reply to a post.

  1. Steffen Froehlich

    I just want to add here if you’re on a Mac you’ll have to create/edit file “/Library/Preferences/com.google.Chrome.plist” and insert following code (extend it for more server addresses):

    <plist version=”1.0″>

    <dict>

      <key>AutoSelectCertificateForUrls</key>

       <array>

         <string>{“pattern”:”[*.]sap.corp”,”filter”:{“ISSUER”:{“CN”:”SSO_CA”}}}</string>

         <string>{“pattern”:”[*.]sap.com”,”filter”:{“ISSUER”:{“CN”:”SSO_CA”}}}</string>

         <string>{“pattern”:”[*.]sap-ag.de”,”filter”:{“ISSUER”:{“CN”:”SSO_CA”}}}</string>

       </array>

    </dict>

    </plist>

    Watch the result in chrome via URL: “chrome://policy

    cheers,

    Steffen

    (0) 
    1. Peter Simon

      “SSO_CA” is an SAP internal certificate name.

      SAP customers will get a different certificate who’s name currently is “SAP Passport CA

      (0) 
    1. Geraldo Augusto Vecchiato

      Thanks Peter,

      I tryed the tool you mentioned and it created the registry entries, but it didn’t work. I think the problem is that Chrome doesn’t read the registry entries any more. See this note in the Chrome page:

      Note: starting with Chrome 28, policies are loaded directly from the Group Policy API on Windows. Policies manually written to the registry will be ignored. See http://crbug.com/259236 for details. [source: Policy List – The Chromium Projects]

      Regards,

      Geraldo

      (0) 
      1. Peter Simon

        HI Geraldo,

        thanks for your feedback.

        Very interesting!

        My Chrome installation (version Version 32.0.1700.102 m) is still reading from the registry.

        Would it be possible for you to check two things:

        1. run http://www.sysinternals.com‘s procmon.exe with filter “Process Name is chrome.exe”
          1. close all chrome windows
          2. Start chrome and try connect to http://service.sap.com/notes
          3. Stop collecting information in procmon.exe and export the result to a file
        2. what is chrome showing to you if you type chrome://Policy in the address bar?

        Thanks for helping me.

        regards

        Peter

        (0) 
          1. Ivan Vazharov Post author

            I confirm that direct modification in the Windows registry is not working for versions >=28. This is the reason I ignored this approach when I wrote this guide. I have tried on multiple workstations and it was simply not working.

            For some people with version >=35 and workstation joined to an Active Directory domain the registry modification may work.

            For more information: Policy List – The Chromium Projects

            (0) 
  2. Boris Tsirulnik

    It’s possible to use regular expressions so no need to add every single host in the settings.

    I also had to change the issuer to “SSO_CA”.

    I used these lines:

    {“pattern”:”https://*.sap.corp“,”filter”:{“ISSUER”:{“CN”:”SSO_CA”}}}

    {“pattern”:”https://*.sap.com“,”filter”:{“ISSUER”:{“CN”:”SSO_CA”}}}

    {“pattern”:”https://*.sap-ag.de“,”filter”:{“ISSUER”:{“CN”:”SSO_CA”}}}

    Regards,

    Boris

    (0) 
    1. Ivan Vazharov Post author

      These doesn’t work for me. In fact it was the first thing I tried.

      Edit: It turns out that it actually works! Maybe I did some mistake the first time I tried. Thanks a lot!

      (0) 
      1. Girish Raghunath

        And BTW you should use [*.] and not just * for pattern matching.

        {“pattern”:”[*.]sap.corp”,”filter”:{“ISSUER”:{“CN”:”SSO_CA”}}}

        {“pattern”:”[*.]sap.com”,”filter”:{“ISSUER”:{“CN”:”SSO_CA”}}}

        {“pattern”:”[*.]sap-ag.de”,”filter”:{“ISSUER”:{“CN”:”SSO_CA”}}}

        (0) 
  3. Satheesh Ilu

    Thank you Ivan !  Works like a charm. I used the below three only and it covers everything.

    {“pattern”:”[*.]sap.corp”,”filter”:{“ISSUER”:{“CN”:”SSO_CA”}}}

    {“pattern”:”[*.]sap.com”,”filter”:{“ISSUER”:{“CN”:”SSO_CA”}}}

    {“pattern”:”[*.]sap-ag.de”,”filter”:{“ISSUER”:{“CN”:”SSO_CA”}}}

    (0) 
  4. Thomas Froehlich

    Thanks a lot guys!

    I prefer the second one, but the first one also works.

    How to automatically select SAP client certificate in Google Chrome

    Avoid Certification Selection Popup in Google Chrome

    Simply create a text file rename it to cert.reg and execute it.

    cert.reg

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\AutoSelectCertificateForUrls]
    "1"="{\"pattern\":\"https://[*.]wdf.sap.corp\",\"filter\":{\"ISSUER\":{\"CN\":\"SSO_CA\"}}}"
    "2"="{\"pattern\":\"http://[*.]wdf.sap.corp\",\"filter\":{\"ISSUER\":{\"CN\":\"SSO_CA\"}}}"
    
    
    (0) 
  5. Yin Huang

    Thanks a lot. Finally it works with below entries.

    {“pattern”:”[*.]sap.corp”,”filter”:{“ISSUER”:{“CN”:”SSO_CA”}}}

    {“pattern”:”[*.]sap.com”,”filter”:{“ISSUER”:{“CN”:”SSO_CA”}}}

    {“pattern”:”[*.]sap-ag.de”,”filter”:{“ISSUER”:{“CN”:”SSO_CA”}}}

    (0) 
  6. Guilherme Dellagustin

    Very good article, simple to follow and with a very useful content.

    Points for improvement: Update the article with valuable information that can be found in the comments such as usage of patterns for domain selection and information for MAC users.

    (0) 
  7. Johann Dornbach

    this is one of these posts that take 5 minutes to implement, and consecutively make life much, much easier, saving tons of clicks (and frustration).

    GREAT GREAT GREAT!

    THANKS!

    (0) 
  8. Gadde Shrinivas

    For Mac OS X Yosemite users updating com.google.Chrome.plist or com.google.Chrome.manifest will not help. To make it work in Yosemite execute below four commands in terminal app to have the Chrome policy updated:

    defaults write com.google.Chrome AutoSelectCertificateForUrls -array

    defaults write com.google.Chrome AutoSelectCertificateForUrls -array-add -string ‘{“pattern”:”[*.]sap.corp”,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA”}}}’

    defaults write com.google.Chrome AutoSelectCertificateForUrls -array-add -string ‘{“pattern”:”[*.]sap.com”,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA”}}}’

    defaults write com.google.Chrome AutoSelectCertificateForUrls -array-add -string ‘{“pattern”:”[*.]sap-ag.de”,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA”}}}’

    You can verify the policy update by opening URL chrome://policy/ in Chrome browser.

    Screen Shot 2015-04-01 at 19.32.44.png

    (0) 
  9. Dave Cucura

    Finally worked for me too after a lot of trial and error!

    Simply adding:

    {“pattern”:”[*.]sap.corp”,”filter”:{“ISSUER”:{“CN”:”SSO_CA”}}}

    {“pattern”:”[*.]sap.com”,”filter”:{“ISSUER”:{“CN”:”SSO_CA”}}}

    {“pattern”:”[*.]sap-ag.de”,”filter”:{“ISSUER”:{“CN”:”SSO_CA”}}}

    into the AutoSelectCertificateForUrls Chrome registry key does work. Thank goodness because darn was that annoying.

    (0) 
  10. Annette Klute

    Thanks a lot for this post, unfortunately this does not work for me. I tried entering the 3 patterns, also tried excaping the double quotes, but that did not help.

    I have chrome Version 50.0.2661.87

    Update: I figured out what was wrong. I added https:// before [*.]sap.corp. That did the trick.

    (0) 

Leave a Reply