Skip to Content

when connecting with Google Chrome to a website which uses a certificate for identification you always get the certificate selection popup:

ChromeCert.jpg

In Microsoft’s Internet Explorer you are able to automatically suppress this popup via Internet Explorer Settings.

In Google Chrome you can also suppress the certificate selection popup. Unfortunately, the procedure is not that easy and comfortable as it is in IE.

In short words: this settings can be configured for Google Chrome as a Group Policy within Windows administration.

The advantage: this allows you to define this kind of settings for your complete company using domain policies.

The bad thing: if this settings is not defined as a domain policy you have to define it locally, which needs administrative access to the Windows registry. Furthermore there is no way to use this feature on non-professional Windows editions, because not only gpedit.msc is missing but also the complete GroupPolicy API is dead or pointing into NOP-functions.

In order to simplify this setting on your workstation I have written a powershell module, which is attached to this blog.

The script is provided as is – no warranty, no support.

If you have questions, please use the Windows forum.

How to work with the script?

  1. Download the attached text file and rename it to the file extension .psm1 .
  2. Start a powershell with elevation (Right Click on Start – All Programs – Accessories – Windows Powershell – Windows Powershell –> Run as Administrator
  3. Run following command to load the module and get help about the provided functions
    
    Import-Module <CompletePathTo>\ChromeTools.psm1
    Get-Command -module chrometools
    # getting help on a single function
    Get-Help Add-ChromeAutoselectCert -full
    
    
    
    
    
    
  4. Now you can add the SAP websites on a very easy way:
    
    Add-ChromeAutoselectCert -wildcard
    
    
    
    
    
    

If you prefer not to work using wildcard urls you can use the -detailed instead of -wildcard

You can also use the tool to add a different website (for example from your intranet) using an different CN.

Example:
To avoid the popup shown above you just run the command


Add-ChromeAutoselectCert -url "https://websmp103.sap-ag.de" -CN "SAP Passport CA"





Example:

To use autoselected certificates on all servers in sap-ag.de with a CA show in the Certification Selection Popup (example see screenshot):


Add-ChromeAutoselectCert -url "[*.]sap-ag.de" -CN "a different CA - see Screenshot above"

By the way: Windows Powershell does support auto-expansion on commands and parameter names by pressing the TAB key.

Try to type Add-Chr<tab> -<tab> 😉

Have fun with it!

References:

Group Policy Concept for Chrome

AutoSelectCertifcateForUrls Documentation

Group Policy Templates for ChromiumAAdd-

To report this post you need to login first.

21 Comments

You must be Logged on to comment or reply to a post.

    1. Peter Simon Post author

      unfortunately not!

      You have to contact an administrator to run this script or to modify the access to

      HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\AutoselectCertificateForUrls and grant write access to you on this registry key.

      kind regards

      peter

      (0) 
  1. Sean Morgan

    Here’s a much easier way. Save the following as a file with the .reg extension, then double-click it to add the keys to the registry:

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\AutoSelectCertificateForUrls]
    "1"="{\"pattern\":\"https://[*.]sap-ag.de\",\"filter\":{\"ISSUER\":{\"CN\":\"SAP Passport CA\"}}}"
    "2"="{\"pattern\":\"https://[*.]sap.com\",\"filter\":{\"ISSUER\":{\"CN\":\"SAP Passport CA\"}}}"
    (0) 
    1. Peter Simon Post author

      Hi Sean,

      this is exactly what the script does.

      But the script is more convenient for the people not familiar with the registry and registry editor.

      kind regards

      Peter

      (0) 
      1. Simmaco Ferriero

        Yes, I tried a lot of things, even with the Workgroup Manager as described here without any success. By the way, it seems that this is the only available way for MAC users, but in my case it didn’t work. Maybe because with this tool I can just change Chrome preferences for “sap” user (501) and not for my user (this is even strange!).

        Simmaco

        (0) 
  2. Mark Delafranier

    I am unable to get this to work with the latest Chrome (version 35).   The latest documentation seems to imply that the registry key has changed to:

         Software\Policies\Chromium\AutoSelectCertificateForUrls

    I tried to modify the attached script, but the it still reverts to original registry path of:

         HKLM:\Software\Policies\Google\Chrome\AutoSelectCertificateForUrls

    I wonder if I need to re-install my modified script or uninstall the original an then install mine?

    However, in the meantime, I tried to manually add the keys to the new path:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Chromium\AutoSelectCertificateForUrls]
    “1”=”{\”pattern\”:\”https://[*.]wdf.sap.corp\”,\”filter\”:{\”ISSUER\”:{\”CN\”:\”I826607\“}}}”
    “2”=”{\”pattern\”:\”http://[*.]wdf.sap.corp\”,\”filter\”:{\”ISSUER\”:{\”CN\”:\”I826607\“}}}”

    But this does not work either 🙁

    Here is what Chome displays for my certificate:

    Capture.PNG

    If anybody has any thoughts, I would like to hear from you…

    Thanks

    Mark

    (0) 
  3. Mark Delafranier

    Got it working, here is my reg file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\AutoSelectCertificateForUrls]
    “1”=”{\”pattern\”:\”https://[*.]wdf.sap.corp\”,\”filter\”:{\”ISSUER\”:{\”CN\”:\”SSO_CA\“}}}”
    “2”=”{\”pattern\”:\”http://[*.]wdf.sap.corp\”,\”filter\”:{\”ISSUER\”:{\”CN\”:\”SSO_CA\“}}}”

    Mark

    (0) 
  4. Thomas Froehlich

    Thanks a lot guys!

    I prefer the second one, but the first one also works.

    How to automatically select SAP client certificate in Google Chrome

    Avoid Certification Selection Popup in Google Chrome

    cert.reg

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\AutoSelectCertificateForUrls]
    "1"="{\"pattern\":\"https://[*.]wdf.sap.corp\",\"filter\":{\"ISSUER\":{\"CN\":\"SSO_CA\"}}}"
    "2"="{\"pattern\":\"http://[*.]wdf.sap.corp\",\"filter\":{\"ISSUER\":{\"CN\":\"SSO_CA\"}}}"
    
    
    (0) 
  5. Peter Muthsam

    Hi Peter,

    I have the opposite problem: I WANT to get the SSO certificate popup. Why? Because I have to use SAP Service Marketplace sometimes not with my internal SAP employee D-user, but with a customer’s S-user. So I have to be able to decline the automatic sign on.

    With https://service.sap.com that worked fine – I get the popup and I can either confirm the popup to accept the certificate logon, or decline it. Then I get the normal logon popup with user and password. Chrome even remembers the (manual) user/pw if this feature is enabled.

    But now with the new service portal support.sap.com I don’t get the popup anymore! I get logged on with my SAP D-user automatically and silently. If I log out and on again, the same – no popup, and SSO logon.

    How can I get the popup for support.sap.com?

    I checked my registry. Under HKEY_LOCAL_MACHINE\SOFTWARE\Policies there is no entry “Google”.

    I also tried your Powershell module, but miss the option to list the websites that are currently enabled for certificate logon. So I don’t know what to remove (and according to the registry there is nothing to remove, I’m afraid …).

    Best regards,

    Peter

    (0) 
    1. Malcolm Booth

      I have the same problem, which all the CESMs are now encountering since an automatic update of Chrome happened recently.

      I have my “I” Number certificate, plus several “S” User certificates in my SAP Passport, one for each of my customers.

      I need to be able to select the appropriate certificate to access the SAP Support Portal (SSP) acting as a customer.

      (0) 

Leave a Reply