Skip to Content

How to automatically select SAP client certificate in Google Chrome

If you are using Google Chrome and SAP Passport and you are tired of constantly selecting certificates while browsing SAP sites I have something for you. The following procedure has been tested on Windows 8.1 Enterprise and Chrome 30÷37, but should work on Windows 7/8 as well as other Chrome versions:

  1. Download and extract Chrome policy templates from here:
  2. Start the Local Group Policy Editor: Start > Run > gpedit.msc > OK
  3. Right-click on Computer Policy > Computer Configuration > Administrative Templates and choose Add/Remove Templates…
  4. Click Add…, choose policy_templates\windows\adm\en-US\chrome.adm (from the already downloaded and extracted policy templates) and click Open (Note: if your Windows language is different from en-US choose the chrome.adm from the respective language folder)
  5. Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > Google > Google Chrome > Content Settings
  6. Double-click on Automatically select client certificates for these sites
  7. Click Enabled
  8. Click Show… in the Options pane
  9. Consecutively add the following lines:

    {“pattern”:”https://[*.]sap.corp“,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}

    {“pattern”:”https://[*.]“,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}

    {“pattern”:”https://[*.]“,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}

  10. Click OK
  11. Re-launch Chrome
  12. Done. No more annoying pop-ups!

If you’re on a Mac you’ll have to create/edit file /Library/Preferences/ and insert the following code (extend it for more server addresses):

<plist version=”1.0″>




     <string>{“pattern”:”[*.]sap.corp”,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}</string>

     <string>{“pattern”:”[*.]”,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}</string>

     <string>{“pattern”:”[*.]”,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}</string>




Note: for some users (SAP employees and not partners/clients) the issuer should be SSO_CA instead of SAP Passport CA

Special thanks to Steffen Froehlich and Boris Tsirulnik for their contribution to this post!

You must be Logged on to comment or reply to a post.