How to automatically select SAP client certificate in Google Chrome
If you are using Google Chrome and SAP Passport and you are tired of constantly selecting certificates while browsing SAP sites I have something for you. The following procedure has been tested on Windows 8.1 Enterprise and Chrome 30÷37, but should work on Windows 7/8 as well as other Chrome versions:
- Download and extract Chrome policy templates from here: http://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip
- Start the Local Group Policy Editor: Start > Run > gpedit.msc > OK
- Right-click on Computer Policy > Computer Configuration > Administrative Templates and choose Add/Remove Templates…
- Click Add…, choose policy_templates\windows\adm\en-US\chrome.adm (from the already downloaded and extracted policy templates) and click Open (Note: if your Windows language is different from en-US choose the chrome.adm from the respective language folder)
- Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > Google > Google Chrome > Content Settings
- Double-click on Automatically select client certificates for these sites
- Click Enabled
- Click Show… in the Options pane
- Consecutively add the following lines:
{“pattern”:”https://[*.]sap.corp“,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}
{“pattern”:”https://[*.]sap.com“,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}
{“pattern”:”https://[*.]sap-ag.de“,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}
- Click OK
- Re-launch Chrome
- Done. No more annoying pop-ups!
If you’re on a Mac you’ll have to create/edit file /Library/Preferences/com.google.Chrome.plist and insert the following code (extend it for more server addresses):
<plist version=”1.0″>
<dict>
<key>AutoSelectCertificateForUrls</key>
<array>
<string>{“pattern”:”[*.]sap.corp”,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}</string>
<string>{“pattern”:”[*.]sap.com”,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}</string>
<string>{“pattern”:”[*.]sap-ag.de”,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}</string>
</array>
</dict>
</plist>
Note: for some users (SAP employees and not partners/clients) the issuer should be SSO_CA instead of SAP Passport CA
Special thanks to Steffen Froehlich and Boris Tsirulnik for their contribution to this post!
I've tested it on Windows 7 Enterprise, and it is working. Very helpful post!
I just want to add here if you're on a Mac you'll have to create/edit file "/Library/Preferences/com.google.Chrome.plist" and insert following code (extend it for more server addresses):
<plist version="1.0">
<dict>
<key>AutoSelectCertificateForUrls</key>
<array>
<string>{"pattern":"[*.]sap.corp","filter":{"ISSUER":{"CN":"SSO_CA"}}}</string>
<string>{"pattern":"[*.]sap.com","filter":{"ISSUER":{"CN":"SSO_CA"}}}</string>
<string>{"pattern":"[*.]sap-ag.de","filter":{"ISSUER":{"CN":"SSO_CA"}}}</string>
</array>
</dict>
</plist>
Watch the result in chrome via URL: "chrome://policy"
cheers,
Steffen
Thanks, Steffen!
Could you please add this to the post?
"SSO_CA" is an SAP internal certificate name.
SAP customers will get a different certificate who's name currently is "SAP Passport CA"
Thanks - directly works.
Thank you Ivan and Steffen!
I had to change the issuer to {"ISSUER":{"CN":"SSO_CA"} also.
Works great!
Hi Ivan.
Thanks for sharing.
Unfortunately Windows 8 is missing gpedit.msc. Only Windows 8 Pro has this editor.
Please have a look at my Blog:
Avoid Certification Selection Popup in Google Chrome
There is no solution for the Windows Home/Ultimate/etc - non - pro editions.
within these editions not only the gpedit.msc (group policy editor) is missing, but also the GroupPolicyAPI, which is used by chrome, is dead (no operation).
🙁
regards
Peter
Thanks Peter,
I tryed the tool you mentioned and it created the registry entries, but it didn't work. I think the problem is that Chrome doesn't read the registry entries any more. See this note in the Chrome page:
Note: starting with Chrome 28, policies are loaded directly from the Group Policy API on Windows. Policies manually written to the registry will be ignored. See http://crbug.com/259236 for details. [source: Policy List - The Chromium Projects]
Regards,
Geraldo
HI Geraldo,
thanks for your feedback.
Very interesting!
My Chrome installation (version Version 32.0.1700.102 m) is still reading from the registry.
Would it be possible for you to check two things:
Thanks for helping me.
regards
Peter
Hi Peter,
My Chrome version is the same (32.0.1700.102 m).
I did the test you requested. The result file is in this link: http://goo.gl/J3usig
If I type chrome://policy it shows that nothing is defined.
Regards,
Geraldo
I confirm that direct modification in the Windows registry is not working for versions >=28. This is the reason I ignored this approach when I wrote this guide. I have tried on multiple workstations and it was simply not working.
For some people with version >=35 and workstation joined to an Active Directory domain the registry modification may work.
For more information: Policy List - The Chromium Projects
It's possible to use regular expressions so no need to add every single host in the settings.
I also had to change the issuer to "SSO_CA".
I used these lines:
{"pattern":"https://*.sap.corp","filter":{"ISSUER":{"CN":"SSO_CA"}}}
{"pattern":"https://*.sap.com","filter":{"ISSUER":{"CN":"SSO_CA"}}}
{"pattern":"https://*.sap-ag.de","filter":{"ISSUER":{"CN":"SSO_CA"}}}
Regards,
Boris
These doesn't work for me. In fact it was the first thing I tried.
Edit: It turns out that it actually works! Maybe I did some mistake the first time I tried. Thanks a lot!
Try chrome://policy on chrome and check if the policies are actually loaded. If they are loaded then it should work.
And BTW you should use [*.] and not just * for pattern matching.
{"pattern":"[*.]sap.corp","filter":{"ISSUER":{"CN":"SSO_CA"}}}
{"pattern":"[*.]sap.com","filter":{"ISSUER":{"CN":"SSO_CA"}}}
{"pattern":"[*.]sap-ag.de","filter":{"ISSUER":{"CN":"SSO_CA"}}}
This worked for me (the [*.] as a pattern).
Hi Boris,
please refere to Avoid Certification Selection Popup in Google Chrome
I am using Mac. I find another useful way to let system automatically select SAP client certificates. Please check this link http://productforums.google.com/forum/#!topic/chrome/7yOZ6OFuPaw
Ivan! You're a life saver! Thanks a ton!
Thank you Ivan ! Works like a charm. I used the below three only and it covers everything.
{"pattern":"[*.]sap.corp","filter":{"ISSUER":{"CN":"SSO_CA"}}}
{"pattern":"[*.]sap.com","filter":{"ISSUER":{"CN":"SSO_CA"}}}
{"pattern":"[*.]sap-ag.de","filter":{"ISSUER":{"CN":"SSO_CA"}}}
Work perfectly. Thank you a lot.
Thanks a lot guys!
I prefer the second one, but the first one also works.
How to automatically select SAP client certificate in Google Chrome
Avoid Certification Selection Popup in Google Chrome
Simply create a text file rename it to cert.reg and execute it.
cert.reg
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\AutoSelectCertificateForUrls] "1"="{\"pattern\":\"https://[*.]wdf.sap.corp\",\"filter\":{\"ISSUER\":{\"CN\":\"SSO_CA\"}}}" "2"="{\"pattern\":\"http://[*.]wdf.sap.corp\",\"filter\":{\"ISSUER\":{\"CN\":\"SSO_CA\"}}}"Hi Ivan Vazharov,
Thanks a lot.
It is working perfect 🙂
Regards
Sudhir Sadhu
Thank you for sharing!!
Great instructions! Thanks!
Thanks a lot. Finally it works with below entries.
{"pattern":"[*.]sap.corp","filter":{"ISSUER":{"CN":"SSO_CA"}}}
{"pattern":"[*.]sap.com","filter":{"ISSUER":{"CN":"SSO_CA"}}}
{"pattern":"[*.]sap-ag.de","filter":{"ISSUER":{"CN":"SSO_CA"}}}
Thanks for sharing. It helps a lot!
Thanks, this work very well and it is really easy to do.
Very good article, simple to follow and with a very useful content.
Points for improvement: Update the article with valuable information that can be found in the comments such as usage of patterns for domain selection and information for MAC users.
Done.
Thanks, looks great now. I raised the rating to 5 stars.
Great thanks! It works!
Ivan, thanks a lot for this detailed description. It works very well and I am no longer bothered by (several) certificate selections.
I followed it in my windows 7 system and works well. Thanks for the steps!!
this is one of these posts that take 5 minutes to implement, and consecutively make life much, much easier, saving tons of clicks (and frustration).
GREAT GREAT GREAT!
THANKS!
Excellent!
Perfect. Pop ups stopped. excellent solution.
Awsome post! Finally stopped the annoyoing pop up! Thank you!
For Mac OS X Yosemite users updating com.google.Chrome.plist or com.google.Chrome.manifest will not help. To make it work in Yosemite execute below four commands in terminal app to have the Chrome policy updated:
defaults write com.google.Chrome AutoSelectCertificateForUrls -array
defaults write com.google.Chrome AutoSelectCertificateForUrls -array-add -string '{"pattern":"[*.]sap.corp","filter":{"ISSUER":{"CN":"SAP Passport CA"}}}'
defaults write com.google.Chrome AutoSelectCertificateForUrls -array-add -string '{"pattern":"[*.]sap.com","filter":{"ISSUER":{"CN":"SAP Passport CA"}}}'
defaults write com.google.Chrome AutoSelectCertificateForUrls -array-add -string '{"pattern":"[*.]sap-ag.de","filter":{"ISSUER":{"CN":"SAP Passport CA"}}}'
You can verify the policy update by opening URL chrome://policy/ in Chrome browser.
Thanks a lot Ivan. This works exactly as described. I was looking for this since a long time now 🙂
Finally worked for me too after a lot of trial and error!
Simply adding:
{"pattern":"[*.]sap.corp","filter":{"ISSUER":{"CN":"SSO_CA"}}}
{"pattern":"[*.]sap.com","filter":{"ISSUER":{"CN":"SSO_CA"}}}
{"pattern":"[*.]sap-ag.de","filter":{"ISSUER":{"CN":"SSO_CA"}}}
into the AutoSelectCertificateForUrls Chrome registry key does work. Thank goodness because darn was that annoying.
Thank you very much! Steps worked for me after reloading policies at chrome://policy
Thanks a lot for this post, unfortunately this does not work for me. I tried entering the 3 patterns, also tried excaping the double quotes, but that did not help.
I have chrome Version 50.0.2661.87
Update: I figured out what was wrong. I added https:// before [*.]sap.corp. That did the trick.
Hi, works perfectly on my Mac OS X. Thanks a lot.
This does not work on UBUNTU (Linux) - does anybody has instructions to make this work on linux?
For the new Chromium based Microsoft Edge you can just copy "com.google.Chrome.plist" into the file "com.microsoft.Edge.plist" and it will for work for the new Microsoft Edge too.
As of 2020 the whole thing is different. I was trying to replicate the same for Brave Browser but it's a mess.
First of all, the CA seems now to be "SAP SSO CA G2".
Having said this Chrome seems to have its PLIST file created automatically now and it uses a way to parse info that is not human friendly:
I tried to duplicate it and rename it as com.brave.Browser.plist but as soon as you launch Brave the plist is instantly deleted. I assume that those strange character at the end make it very Chrome specific.
Hi Marco, you can edit it with Xcode's PLIST editor. Just double-click in Finder with Xcode installed.
Coming back to this thread; this still works under Monterey and with Brave. Just
Then restart Brave and verify under
Y'all,
I had posted about this before, and even forgot about it.
Since Brave had stopped working for me (i.e., kept showing the certificate screen again as of recently), I had pushed the task out like "oh well, whatever I did last time, will have to Google it." Fortunately, my friend Charles Moore pointed me to this article, where I found my own comment.
Well, the file
/Library/Managed\ Preferences/$USER/com.brave.Browser.plisthad disappeared... So let's redo the work.
First, we create a copy of the file:
Then, we convert it to XML:
Then we edit that file we just put on our Desktop. We can do this with any text editor now. I'm pasting my whole file here, for reference:
Next, we close Brave, then copy the file back. We need to do this as root, hence the sudo:
We don't need to convert it back to binary format, actually.
Next, restart Brave, and check:
HTH,
M
Struggling for the same issue with chrome. Anyone have latest solution , please share , thanks