Skip to Content

How to automatically select SAP client certificate in Google Chrome

If you are using Google Chrome and SAP Passport and you are tired of constantly selecting certificates while browsing SAP sites I have something for you. The following procedure has been tested on Windows 8.1 Enterprise and Chrome 30÷37, but should work on Windows 7/8 as well as other Chrome versions:

  1. Download and extract Chrome policy templates from here: http://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip
  2. Start the Local Group Policy Editor: Start > Run > gpedit.msc > OK
  3. Right-click on Computer Policy > Computer Configuration > Administrative Templates and choose Add/Remove Templates…
  4. Click Add…, choose policy_templates\windows\adm\en-US\chrome.adm (from the already downloaded and extracted policy templates) and click Open (Note: if your Windows language is different from en-US choose the chrome.adm from the respective language folder)
  5. Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > Google > Google Chrome > Content Settings
  6. Double-click on Automatically select client certificates for these sites
  7. Click Enabled
  8. Click Show… in the Options pane
  9. Consecutively add the following lines:

    {“pattern”:”https://[*.]sap.corp“,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}

    {“pattern”:”https://[*.]sap.com“,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}

    {“pattern”:”https://[*.]sap-ag.de“,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}

  10. Click OK
  11. Re-launch Chrome
  12. Done. No more annoying pop-ups!


If you’re on a Mac you’ll have to create/edit file /Library/Preferences/com.google.Chrome.plist and insert the following code (extend it for more server addresses):

<plist version=”1.0″>

<dict>

  <key>AutoSelectCertificateForUrls</key>

   <array>

     <string>{“pattern”:”[*.]sap.corp”,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}</string>

     <string>{“pattern”:”[*.]sap.com”,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}</string>

     <string>{“pattern”:”[*.]sap-ag.de”,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}</string>

   </array>

</dict>

</plist>

Note: for some users (SAP employees and not partners/clients) the issuer should be SSO_CA instead of SAP Passport CA


Special thanks to Steffen Froehlich and Boris Tsirulnik for their contribution to this post!

50 Comments
You must be Logged on to comment or reply to a post.
  • I just want to add here if you're on a Mac you'll have to create/edit file "/Library/Preferences/com.google.Chrome.plist" and insert following code (extend it for more server addresses):

    <plist version="1.0">

    <dict>

      <key>AutoSelectCertificateForUrls</key>

       <array>

         <string>{"pattern":"[*.]sap.corp","filter":{"ISSUER":{"CN":"SSO_CA"}}}</string>

         <string>{"pattern":"[*.]sap.com","filter":{"ISSUER":{"CN":"SSO_CA"}}}</string>

         <string>{"pattern":"[*.]sap-ag.de","filter":{"ISSUER":{"CN":"SSO_CA"}}}</string>

       </array>

    </dict>

    </plist>

    Watch the result in chrome via URL: "chrome://policy"

    cheers,

    Steffen

    • Thanks Peter,

      I tryed the tool you mentioned and it created the registry entries, but it didn't work. I think the problem is that Chrome doesn't read the registry entries any more. See this note in the Chrome page:

      Note: starting with Chrome 28, policies are loaded directly from the Group Policy API on Windows. Policies manually written to the registry will be ignored. See http://crbug.com/259236 for details. [source: Policy List - The Chromium Projects]

      Regards,

      Geraldo

      • HI Geraldo,

        thanks for your feedback.

        Very interesting!

        My Chrome installation (version Version 32.0.1700.102 m) is still reading from the registry.

        Would it be possible for you to check two things:

        1. run www.sysinternals.com's procmon.exe with filter "Process Name is chrome.exe"
          1. close all chrome windows
          2. Start chrome and try connect to http://service.sap.com/notes
          3. Stop collecting information in procmon.exe and export the result to a file
        2. what is chrome showing to you if you type chrome://Policy in the address bar?

        Thanks for helping me.

        regards

        Peter

          • I confirm that direct modification in the Windows registry is not working for versions >=28. This is the reason I ignored this approach when I wrote this guide. I have tried on multiple workstations and it was simply not working.

            For some people with version >=35 and workstation joined to an Active Directory domain the registry modification may work.

            For more information: Policy List - The Chromium Projects

  • Thank you Ivan !  Works like a charm. I used the below three only and it covers everything.

    {"pattern":"[*.]sap.corp","filter":{"ISSUER":{"CN":"SSO_CA"}}}

    {"pattern":"[*.]sap.com","filter":{"ISSUER":{"CN":"SSO_CA"}}}

    {"pattern":"[*.]sap-ag.de","filter":{"ISSUER":{"CN":"SSO_CA"}}}

  • Thanks a lot guys!

    I prefer the second one, but the first one also works.

    How to automatically select SAP client certificate in Google Chrome

    Avoid Certification Selection Popup in Google Chrome

    Simply create a text file rename it to cert.reg and execute it.

    cert.reg

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\AutoSelectCertificateForUrls]
    "1"="{\"pattern\":\"https://[*.]wdf.sap.corp\",\"filter\":{\"ISSUER\":{\"CN\":\"SSO_CA\"}}}"
    "2"="{\"pattern\":\"http://[*.]wdf.sap.corp\",\"filter\":{\"ISSUER\":{\"CN\":\"SSO_CA\"}}}"
    
    
  • Thanks a lot. Finally it works with below entries.

    {"pattern":"[*.]sap.corp","filter":{"ISSUER":{"CN":"SSO_CA"}}}

    {"pattern":"[*.]sap.com","filter":{"ISSUER":{"CN":"SSO_CA"}}}

    {"pattern":"[*.]sap-ag.de","filter":{"ISSUER":{"CN":"SSO_CA"}}}

  • Very good article, simple to follow and with a very useful content.

    Points for improvement: Update the article with valuable information that can be found in the comments such as usage of patterns for domain selection and information for MAC users.

  • this is one of these posts that take 5 minutes to implement, and consecutively make life much, much easier, saving tons of clicks (and frustration).

    GREAT GREAT GREAT!

    THANKS!

  • For Mac OS X Yosemite users updating com.google.Chrome.plist or com.google.Chrome.manifest will not help. To make it work in Yosemite execute below four commands in terminal app to have the Chrome policy updated:

    defaults write com.google.Chrome AutoSelectCertificateForUrls -array

    defaults write com.google.Chrome AutoSelectCertificateForUrls -array-add -string '{"pattern":"[*.]sap.corp","filter":{"ISSUER":{"CN":"SAP Passport CA"}}}'

    defaults write com.google.Chrome AutoSelectCertificateForUrls -array-add -string '{"pattern":"[*.]sap.com","filter":{"ISSUER":{"CN":"SAP Passport CA"}}}'

    defaults write com.google.Chrome AutoSelectCertificateForUrls -array-add -string '{"pattern":"[*.]sap-ag.de","filter":{"ISSUER":{"CN":"SAP Passport CA"}}}'

    You can verify the policy update by opening URL chrome://policy/ in Chrome browser.

    Screen Shot 2015-04-01 at 19.32.44.png

    /
    Screen Shot 2015-04-01 at 19.32.44.png
  • Finally worked for me too after a lot of trial and error!

    Simply adding:

    {"pattern":"[*.]sap.corp","filter":{"ISSUER":{"CN":"SSO_CA"}}}

    {"pattern":"[*.]sap.com","filter":{"ISSUER":{"CN":"SSO_CA"}}}

    {"pattern":"[*.]sap-ag.de","filter":{"ISSUER":{"CN":"SSO_CA"}}}

    into the AutoSelectCertificateForUrls Chrome registry key does work. Thank goodness because darn was that annoying.

  • Thanks a lot for this post, unfortunately this does not work for me. I tried entering the 3 patterns, also tried excaping the double quotes, but that did not help.

    I have chrome Version 50.0.2661.87

    Update: I figured out what was wrong. I added https:// before [*.]sap.corp. That did the trick.

  • For the new Chromium based Microsoft Edge you can just copy "com.google.Chrome.plist" into the file "com.microsoft.Edge.plist" and it will for work for the new Microsoft Edge too.

     

  • As of 2020 the whole thing is different. I was trying to replicate the same for Brave Browser but it's a mess.
    First of all, the CA seems now to be "SAP SSO CA G2".

    Having said this Chrome seems to have its PLIST file created automatically now and it uses a way to parse info that is not human friendly:

    bplist00fl	
    
     "*,/0_PasswordManagerEnabled^ShowHomeButton_RestoreOnStartup_AuthNegotiateDelegateWhitelist_BookmarkBarEnabled_ImportBookmarks_WelcomePageOnOSUpgradeEnabled_PluginsAllowedForUrls_ImportSearchEngine]ImportHistory_AuthServerWhitelist_DefaultBrowserSettingEnabled_PopupsAllowedForUrls_CookiesAllowedForUrls_RestoreOnStartupURLs_HomepageIsNewTabPage_HomepageLocation_AutoSelectCertificateForUrls	_"*.sap.com,*.sap.corp"	£_[*.]broadcast.co.sap.com^[*.]sapjam.com_[*.]pgiconnect.com	_"*.sap.com,*.sap.corp"ß#$%&'()_[*.]global.corp.sap_[*.]mymeetingroom.com_[*.]ondemand.com][*.]sap-ag.de[[*.]sap.com\[*.]sap.corp_[*.]sapbusinessobjects.cloud°+[[*.]sap.com°-[about:blank[about:blankØ123456789:;<=>?@_E{"pattern":"[*.]corp.sap","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_I{"pattern":"[*.]easymath.com","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_O{"pattern":"[*.]executiveboard.com","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_J{"pattern":"[*.]expurgate.net","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_L{"pattern":"[*.]hotelbooker.org","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_D{"pattern":"[*.]int.sap","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_N{"pattern":"[*.]mymeetingroom.com","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_I{"pattern":"[*.]ondemand.com","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_F{"pattern":"[*.]sap-ag.de","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_D{"pattern":"[*.]sap.com","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_E{"pattern":"[*.]sap.corp","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_N{"pattern":"[*.]sapbrandtools.com","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_G{"pattern":"[*.]sapjam.com","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_O{"pattern":"[*.]successfactors.com","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_N{"pattern":"[*.]successfactors.eu","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_O{"pattern":"[*.]transferbooker.org","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}/HWjã†≤“͡
    #BYqàü≤—“”’ÓÔÒı456OPXnÜôß≥¿fl·ÌÔ˚¸cØNù‰5Å Y™ÙFóAÈ

    I tried to duplicate it and rename it as com.brave.Browser.plist but as soon as you launch Brave the plist is instantly deleted. I assume that those strange character at the end make it very Chrome specific.