Skip to Content
Author's profile photo Ivan Vazharov

How to automatically select SAP client certificate in Google Chrome

If you are using Google Chrome and SAP Passport and you are tired of constantly selecting certificates while browsing SAP sites I have something for you. The following procedure has been tested on Windows 8.1 Enterprise and Chrome 30÷37, but should work on Windows 7/8 as well as other Chrome versions:

  1. Download and extract Chrome policy templates from here: http://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip
  2. Start the Local Group Policy Editor: Start > Run > gpedit.msc > OK
  3. Right-click on Computer Policy > Computer Configuration > Administrative Templates and choose Add/Remove Templates…
  4. Click Add…, choose policy_templates\windows\adm\en-US\chrome.adm (from the already downloaded and extracted policy templates) and click Open (Note: if your Windows language is different from en-US choose the chrome.adm from the respective language folder)
  5. Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > Google > Google Chrome > Content Settings
  6. Double-click on Automatically select client certificates for these sites
  7. Click Enabled
  8. Click Show… in the Options pane
  9. Consecutively add the following lines:

    {“pattern”:”https://[*.]sap.corp“,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}

    {“pattern”:”https://[*.]sap.com“,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}

    {“pattern”:”https://[*.]sap-ag.de“,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}

  10. Click OK
  11. Re-launch Chrome
  12. Done. No more annoying pop-ups!


If you’re on a Mac you’ll have to create/edit file /Library/Preferences/com.google.Chrome.plist and insert the following code (extend it for more server addresses):

<plist version=”1.0″>

<dict>

  <key>AutoSelectCertificateForUrls</key>

   <array>

     <string>{“pattern”:”[*.]sap.corp”,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}</string>

     <string>{“pattern”:”[*.]sap.com”,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}</string>

     <string>{“pattern”:”[*.]sap-ag.de”,”filter”:{“ISSUER”:{“CN”:”SAP Passport CA“}}}</string>

   </array>

</dict>

</plist>

Note: for some users (SAP employees and not partners/clients) the issuer should be SSO_CA instead of SAP Passport CA


Special thanks to Steffen Froehlich and Boris Tsirulnik for their contribution to this post!

Assigned Tags

      51 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      I've tested it on Windows 7 Enterprise, and it is working. Very helpful post!

      Author's profile photo Steffen Froehlich
      Steffen Froehlich

      I just want to add here if you're on a Mac you'll have to create/edit file "/Library/Preferences/com.google.Chrome.plist" and insert following code (extend it for more server addresses):

      <plist version="1.0">

      <dict>

        <key>AutoSelectCertificateForUrls</key>

         <array>

           <string>{"pattern":"[*.]sap.corp","filter":{"ISSUER":{"CN":"SSO_CA"}}}</string>

           <string>{"pattern":"[*.]sap.com","filter":{"ISSUER":{"CN":"SSO_CA"}}}</string>

           <string>{"pattern":"[*.]sap-ag.de","filter":{"ISSUER":{"CN":"SSO_CA"}}}</string>

         </array>

      </dict>

      </plist>

      Watch the result in chrome via URL: "chrome://policy"

      cheers,

      Steffen

      Author's profile photo Ivan Vazharov
      Ivan Vazharov
      Blog Post Author

      Thanks, Steffen!

      Author's profile photo Guilherme Dellagustin
      Guilherme Dellagustin

      Could you please add this to the post?

      Author's profile photo Former Member
      Former Member

      "SSO_CA" is an SAP internal certificate name.

      SAP customers will get a different certificate who's name currently is "SAP Passport CA"

      Author's profile photo Jonathan Dees
      Jonathan Dees

      Thanks - directly works.

      Author's profile photo Steven Vazzano
      Steven Vazzano

      Thank you Ivan and Steffen! 

      I had to change the issuer to {"ISSUER":{"CN":"SSO_CA"} also. 

      Works great!

      Author's profile photo Former Member
      Former Member

      Hi Ivan.

      Thanks for sharing.

      Unfortunately Windows 8 is missing gpedit.msc. Only Windows 8 Pro has this editor.

      Author's profile photo Former Member
      Former Member

      Please have a look at my Blog:

      Avoid Certification Selection Popup in Google Chrome

      There is no solution for the Windows Home/Ultimate/etc - non - pro editions.
      within these editions not only the gpedit.msc (group policy editor) is missing, but also the GroupPolicyAPI, which is used by chrome, is dead (no operation).

      🙁

      regards

      Peter

      Author's profile photo Former Member
      Former Member

      Thanks Peter,

      I tryed the tool you mentioned and it created the registry entries, but it didn't work. I think the problem is that Chrome doesn't read the registry entries any more. See this note in the Chrome page:

      Note: starting with Chrome 28, policies are loaded directly from the Group Policy API on Windows. Policies manually written to the registry will be ignored. See http://crbug.com/259236 for details. [source: Policy List - The Chromium Projects]

      Regards,

      Geraldo

      Author's profile photo Former Member
      Former Member

      HI Geraldo,

      thanks for your feedback.

      Very interesting!

      My Chrome installation (version Version 32.0.1700.102 m) is still reading from the registry.

      Would it be possible for you to check two things:

      1. run www.sysinternals.com's procmon.exe with filter "Process Name is chrome.exe"
        1. close all chrome windows
        2. Start chrome and try connect to http://service.sap.com/notes
        3. Stop collecting information in procmon.exe and export the result to a file
      2. what is chrome showing to you if you type chrome://Policy in the address bar?

      Thanks for helping me.

      regards

      Peter

      Author's profile photo Former Member
      Former Member

      Hi Peter,

      My Chrome version is the same (32.0.1700.102 m).

      I did the test you requested. The result file is in this link: http://goo.gl/J3usig

      If I type chrome://policy it shows that nothing is defined.

      Regards,

      Geraldo

      Author's profile photo Ivan Vazharov
      Ivan Vazharov
      Blog Post Author

      I confirm that direct modification in the Windows registry is not working for versions >=28. This is the reason I ignored this approach when I wrote this guide. I have tried on multiple workstations and it was simply not working.

      For some people with version >=35 and workstation joined to an Active Directory domain the registry modification may work.

      For more information: Policy List - The Chromium Projects

      Author's profile photo Boris Tsirulnik
      Boris Tsirulnik

      It's possible to use regular expressions so no need to add every single host in the settings.

      I also had to change the issuer to "SSO_CA".

      I used these lines:

      {"pattern":"https://*.sap.corp","filter":{"ISSUER":{"CN":"SSO_CA"}}}

      {"pattern":"https://*.sap.com","filter":{"ISSUER":{"CN":"SSO_CA"}}}

      {"pattern":"https://*.sap-ag.de","filter":{"ISSUER":{"CN":"SSO_CA"}}}

      Regards,

      Boris

      Author's profile photo Ivan Vazharov
      Ivan Vazharov
      Blog Post Author

      These doesn't work for me. In fact it was the first thing I tried.

      Edit: It turns out that it actually works! Maybe I did some mistake the first time I tried. Thanks a lot!

      Author's profile photo Former Member
      Former Member

      Try chrome://policy on chrome and check if the policies are actually loaded. If they are loaded then it should work.

      Author's profile photo Former Member
      Former Member

      And BTW you should use [*.] and not just * for pattern matching.

      {"pattern":"[*.]sap.corp","filter":{"ISSUER":{"CN":"SSO_CA"}}}

      {"pattern":"[*.]sap.com","filter":{"ISSUER":{"CN":"SSO_CA"}}}

      {"pattern":"[*.]sap-ag.de","filter":{"ISSUER":{"CN":"SSO_CA"}}}

      Author's profile photo Guilherme Dellagustin
      Guilherme Dellagustin

      This worked for me (the [*.] as a pattern).

      Author's profile photo Former Member
      Former Member
      Author's profile photo Liang Wang
      Liang Wang

      I am using Mac. I find another useful way to let system automatically select SAP client certificates. Please check this link http://productforums.google.com/forum/#!topic/chrome/7yOZ6OFuPaw

      Author's profile photo Praveen Sathya Prakash
      Praveen Sathya Prakash

      Ivan! You're a life saver! Thanks a ton!

      Author's profile photo Satheesh Ilu
      Satheesh Ilu

      Thank you Ivan !  Works like a charm. I used the below three only and it covers everything.

      {"pattern":"[*.]sap.corp","filter":{"ISSUER":{"CN":"SSO_CA"}}}

      {"pattern":"[*.]sap.com","filter":{"ISSUER":{"CN":"SSO_CA"}}}

      {"pattern":"[*.]sap-ag.de","filter":{"ISSUER":{"CN":"SSO_CA"}}}

      Author's profile photo Former Member
      Former Member

      Work perfectly. Thank you a lot.

      Author's profile photo Former Member
      Former Member

      Thanks a lot guys!

      I prefer the second one, but the first one also works.

      How to automatically select SAP client certificate in Google Chrome

      Avoid Certification Selection Popup in Google Chrome

      Simply create a text file rename it to cert.reg and execute it.

      cert.reg

      Windows Registry Editor Version 5.00
      [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\AutoSelectCertificateForUrls]
      "1"="{\"pattern\":\"https://[*.]wdf.sap.corp\",\"filter\":{\"ISSUER\":{\"CN\":\"SSO_CA\"}}}"
      "2"="{\"pattern\":\"http://[*.]wdf.sap.corp\",\"filter\":{\"ISSUER\":{\"CN\":\"SSO_CA\"}}}"
      
      
      Author's profile photo Former Member
      Former Member

      Hi Ivan Vazharov,

      Thanks a lot.

      It is working perfect 🙂

      Regards

      Sudhir Sadhu

      Author's profile photo Former Member
      Former Member

      Thank you for sharing!!

      Author's profile photo Former Member
      Former Member

      Great instructions!  Thanks!

      Author's profile photo Yin Huang
      Yin Huang

      Thanks a lot. Finally it works with below entries.

      {"pattern":"[*.]sap.corp","filter":{"ISSUER":{"CN":"SSO_CA"}}}

      {"pattern":"[*.]sap.com","filter":{"ISSUER":{"CN":"SSO_CA"}}}

      {"pattern":"[*.]sap-ag.de","filter":{"ISSUER":{"CN":"SSO_CA"}}}

      Author's profile photo Former Member
      Former Member

      Thanks for sharing. It helps a lot!

      Author's profile photo Guilherme Dellagustin
      Guilherme Dellagustin

      Thanks, this work very well and it is really easy to do.

      Author's profile photo Guilherme Dellagustin
      Guilherme Dellagustin

      Very good article, simple to follow and with a very useful content.

      Points for improvement: Update the article with valuable information that can be found in the comments such as usage of patterns for domain selection and information for MAC users.

      Author's profile photo Ivan Vazharov
      Ivan Vazharov
      Blog Post Author

      Done.

      Author's profile photo Guilherme Dellagustin
      Guilherme Dellagustin

      Thanks, looks great now. I raised the rating to 5 stars.

      Author's profile photo Former Member
      Former Member

      Great thanks! It works!

      Author's profile photo Ruediger Stoecker
      Ruediger Stoecker

      Ivan, thanks a lot for this detailed description. It works very well and I am no longer bothered by (several) certificate selections.

      Author's profile photo Pradeep Kodihalli Satish
      Pradeep Kodihalli Satish

      I followed it in my windows 7 system and works well. Thanks for the steps!!

      Author's profile photo Johann Dornbach
      Johann Dornbach

      this is one of these posts that take 5 minutes to implement, and consecutively make life much, much easier, saving tons of clicks (and frustration).

      GREAT GREAT GREAT!

      THANKS!

      Author's profile photo Dimiter Simov
      Dimiter Simov

      Excellent!

      Author's profile photo Adithya K Bhagavan
      Adithya K Bhagavan

      Perfect. Pop ups stopped. excellent solution.

      Author's profile photo Cherry Liang
      Cherry Liang

      Awsome post! Finally stopped the annoyoing pop up! Thank you!

      Author's profile photo Shrinivas Gadde
      Shrinivas Gadde

      For Mac OS X Yosemite users updating com.google.Chrome.plist or com.google.Chrome.manifest will not help. To make it work in Yosemite execute below four commands in terminal app to have the Chrome policy updated:

      defaults write com.google.Chrome AutoSelectCertificateForUrls -array

      defaults write com.google.Chrome AutoSelectCertificateForUrls -array-add -string '{"pattern":"[*.]sap.corp","filter":{"ISSUER":{"CN":"SAP Passport CA"}}}'

      defaults write com.google.Chrome AutoSelectCertificateForUrls -array-add -string '{"pattern":"[*.]sap.com","filter":{"ISSUER":{"CN":"SAP Passport CA"}}}'

      defaults write com.google.Chrome AutoSelectCertificateForUrls -array-add -string '{"pattern":"[*.]sap-ag.de","filter":{"ISSUER":{"CN":"SAP Passport CA"}}}'

      You can verify the policy update by opening URL chrome://policy/ in Chrome browser.

      Screen Shot 2015-04-01 at 19.32.44.png

      Author's profile photo Former Member
      Former Member

      Thanks a lot Ivan. This works exactly as described. I was looking for this since a long time now 🙂

      Author's profile photo Dave Cucura
      Dave Cucura

      Finally worked for me too after a lot of trial and error!

      Simply adding:

      {"pattern":"[*.]sap.corp","filter":{"ISSUER":{"CN":"SSO_CA"}}}

      {"pattern":"[*.]sap.com","filter":{"ISSUER":{"CN":"SSO_CA"}}}

      {"pattern":"[*.]sap-ag.de","filter":{"ISSUER":{"CN":"SSO_CA"}}}

      into the AutoSelectCertificateForUrls Chrome registry key does work. Thank goodness because darn was that annoying.

      Author's profile photo Helen Oakley
      Helen Oakley

      Thank you very much! Steps worked for me after reloading policies at chrome://policy

      Author's profile photo Annette Klute
      Annette Klute

      Thanks a lot for this post, unfortunately this does not work for me. I tried entering the 3 patterns, also tried excaping the double quotes, but that did not help.

      I have chrome Version 50.0.2661.87

      Update: I figured out what was wrong. I added https:// before [*.]sap.corp. That did the trick.

      Author's profile photo Junjie Hu
      Junjie Hu

      Hi, works perfectly on my Mac OS X.  Thanks a lot.

       

      Author's profile photo Jonathan Dees
      Jonathan Dees

      This does not work on UBUNTU (Linux) - does anybody has instructions to make this work on linux?

      Author's profile photo Christian Grail
      Christian Grail

      For the new Chromium based Microsoft Edge you can just copy "com.google.Chrome.plist" into the file "com.microsoft.Edge.plist" and it will for work for the new Microsoft Edge too.

       

      Author's profile photo Marco Dal Moro
      Marco Dal Moro

      As of 2020 the whole thing is different. I was trying to replicate the same for Brave Browser but it's a mess.
      First of all, the CA seems now to be "SAP SSO CA G2".

      Having said this Chrome seems to have its PLIST file created automatically now and it uses a way to parse info that is not human friendly:

      bplist00fl	
      
       "*,/0_PasswordManagerEnabled^ShowHomeButton_RestoreOnStartup_AuthNegotiateDelegateWhitelist_BookmarkBarEnabled_ImportBookmarks_WelcomePageOnOSUpgradeEnabled_PluginsAllowedForUrls_ImportSearchEngine]ImportHistory_AuthServerWhitelist_DefaultBrowserSettingEnabled_PopupsAllowedForUrls_CookiesAllowedForUrls_RestoreOnStartupURLs_HomepageIsNewTabPage_HomepageLocation_AutoSelectCertificateForUrls	_"*.sap.com,*.sap.corp"	£_[*.]broadcast.co.sap.com^[*.]sapjam.com_[*.]pgiconnect.com	_"*.sap.com,*.sap.corp"ß#$%&'()_[*.]global.corp.sap_[*.]mymeetingroom.com_[*.]ondemand.com][*.]sap-ag.de[[*.]sap.com\[*.]sap.corp_[*.]sapbusinessobjects.cloud°+[[*.]sap.com°-[about:blank[about:blankØ123456789:;<=>?@_E{"pattern":"[*.]corp.sap","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_I{"pattern":"[*.]easymath.com","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_O{"pattern":"[*.]executiveboard.com","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_J{"pattern":"[*.]expurgate.net","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_L{"pattern":"[*.]hotelbooker.org","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_D{"pattern":"[*.]int.sap","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_N{"pattern":"[*.]mymeetingroom.com","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_I{"pattern":"[*.]ondemand.com","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_F{"pattern":"[*.]sap-ag.de","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_D{"pattern":"[*.]sap.com","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_E{"pattern":"[*.]sap.corp","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_N{"pattern":"[*.]sapbrandtools.com","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_G{"pattern":"[*.]sapjam.com","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_O{"pattern":"[*.]successfactors.com","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_N{"pattern":"[*.]successfactors.eu","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}_O{"pattern":"[*.]transferbooker.org","filter":{"ISSUER":{"CN":"SAP SSO CA G2"}}}/HWjã†≤“͡
      #BYqàü≤—“”’ÓÔÒı456OPXnÜôß≥¿fl·ÌÔ˚¸cØNù‰5Å Y™ÙFóAÈ

      I tried to duplicate it and rename it as com.brave.Browser.plist but as soon as you launch Brave the plist is instantly deleted. I assume that those strange character at the end make it very Chrome specific.

       

      Author's profile photo Stefan Jesse
      Stefan Jesse

      Hi Marco, you can edit it with Xcode's PLIST editor. Just double-click in Finder with Xcode installed.

      Author's profile photo Matthias Nott
      Matthias Nott

      Coming back to this thread; this still works under Monterey and with Brave. Just

       

      cd /Library/Managed\ Preferences/$USER/
      
      sudo cp com.google.Chrome.plist com.brave.Browser.plist

       

      Then restart Brave and verify under

       

      chrome://policy