when connecting with Google Chrome to a website which uses a certificate for identification you always get the certificate selection popup:
In Microsoft’s Internet Explorer you are able to automatically suppress this popup via Internet Explorer Settings.
In Google Chrome you can also suppress the certificate selection popup. Unfortunately, the procedure is not that easy and comfortable as it is in IE.
In short words: this settings can be configured for Google Chrome as a Group Policy within Windows administration.
The advantage: this allows you to define this kind of settings for your complete company using domain policies.
The bad thing: if this settings is not defined as a domain policy you have to define it locally, which needs administrative access to the Windows registry. Furthermore there is no way to use this feature on non-professional Windows editions, because not only gpedit.msc is missing but also the complete GroupPolicy API is dead or pointing into NOP-functions.
In order to simplify this setting on your workstation I have written a powershell module, which is attached to this blog.
The script is provided as is – no warranty, no support.
If you have questions, please use the Windows forum.
How to work with the script?
- Download the attached text file and rename it to the file extension .psm1 .
- Start a powershell with elevation (Right Click on Start – All Programs – Accessories – Windows Powershell – Windows Powershell –> Run as Administrator
- Run following command to load the module and get help about the provided functions
Import-Module <CompletePathTo>\ChromeTools.psm1 Get-Command -module chrometools # getting help on a single function Get-Help Add-ChromeAutoselectCert -full - Now you can add the SAP websites on a very easy way:
Add-ChromeAutoselectCert -wildcard
If you prefer not to work using wildcard urls you can use the -detailed instead of -wildcard
You can also use the tool to add a different website (for example from your intranet) using an different CN.
Example:
To avoid the popup shown above you just run the command
Add-ChromeAutoselectCert -url "https://websmp103.sap-ag.de" -CN "SAP Passport CA"
Example:
To use autoselected certificates on all servers in sap-ag.de with a CA show in the Certification Selection Popup (example see screenshot):
Add-ChromeAutoselectCert -url "[*.]sap-ag.de" -CN "a different CA - see Screenshot above"
By the way: Windows Powershell does support auto-expansion on commands and parameter names by pressing the TAB key.
Try to type Add-Chr<tab> -<tab> 😉
Have fun with it!
References:
Group Policy Concept for Chrome
Hi Peter,
Any possibility how could I implement this solution w/o having administration right to my WIN?
Thanks,
m./
unfortunately not!
You have to contact an administrator to run this script or to modify the access to
HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\AutoselectCertificateForUrls and grant write access to you on this registry key.
kind regards
peter
Here's a much easier way. Save the following as a file with the .reg extension, then double-click it to add the keys to the registry:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\AutoSelectCertificateForUrls] "1"="{\"pattern\":\"https://[*.]sap-ag.de\",\"filter\":{\"ISSUER\":{\"CN\":\"SAP Passport CA\"}}}" "2"="{\"pattern\":\"https://[*.]sap.com\",\"filter\":{\"ISSUER\":{\"CN\":\"SAP Passport CA\"}}}"Hi Sean,
this is exactly what the script does.
But the script is more convenient for the people not familiar with the registry and registry editor.
kind regards
Peter
Any tips for Mac users? I tried some stuff, but without success!
Regards,
Simmaco
Hi Simmaco,
did you check this thread already?
There was a solution listed for MAC.
Yes, I tried a lot of things, even with the Workgroup Manager as described here without any success. By the way, it seems that this is the only available way for MAC users, but in my case it didn't work. Maybe because with this tool I can just change Chrome preferences for "sap" user (501) and not for my user (this is even strange!).
Simmaco
Hi Simmanco,
if the problem is still there, you could check out Yang Zhaos post in JAM "File to remove certificate popup from Chrome on Mac".
Pascal
Thanks, Pascal! I was able to fix my issue.
Regards,
Simmaco
cool, very useful, I love this tool!!
I am unable to get this to work with the latest Chrome (version 35). The latest documentation seems to imply that the registry key has changed to:
Software\Policies\Chromium\AutoSelectCertificateForUrls
I tried to modify the attached script, but the it still reverts to original registry path of:
HKLM:\Software\Policies\Google\Chrome\AutoSelectCertificateForUrls
I wonder if I need to re-install my modified script or uninstall the original an then install mine?
However, in the meantime, I tried to manually add the keys to the new path:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Chromium\AutoSelectCertificateForUrls]
"1"="{\"pattern\":\"https://[*.]wdf.sap.corp\",\"filter\":{\"ISSUER\":{\"CN\":\"I826607\"}}}"
"2"="{\"pattern\":\"http://[*.]wdf.sap.corp\",\"filter\":{\"ISSUER\":{\"CN\":\"I826607\"}}}"
But this does not work either 🙁
Here is what Chome displays for my certificate:
If anybody has any thoughts, I would like to hear from you...
Thanks
Mark
It works fine for me and here's my "About" information:
Version 35.0.1916.114 m
Got it working, here is my reg file:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\AutoSelectCertificateForUrls]
"1"="{\"pattern\":\"https://[*.]wdf.sap.corp\",\"filter\":{\"ISSUER\":{\"CN\":\"SSO_CA\"}}}"
"2"="{\"pattern\":\"http://[*.]wdf.sap.corp\",\"filter\":{\"ISSUER\":{\"CN\":\"SSO_CA\"}}}"
Mark
Thanks a lot guys!
I prefer the second one, but the first one also works.
How to automatically select SAP client certificate in Google Chrome
Avoid Certification Selection Popup in Google Chrome
cert.reg
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\AutoSelectCertificateForUrls] "1"="{\"pattern\":\"https://[*.]wdf.sap.corp\",\"filter\":{\"ISSUER\":{\"CN\":\"SSO_CA\"}}}" "2"="{\"pattern\":\"http://[*.]wdf.sap.corp\",\"filter\":{\"ISSUER\":{\"CN\":\"SSO_CA\"}}}"Hello,
I tried this solution and it didn't work. According to comments in other post this is related to Chromes version.
It would be interesting if your post would also direct to http://scn.sap.com/blogs/ivazharov/2013/10/22/how-to-automatically-select-sap-client-certificate-in-google-chrome
this method worked for me.
Best Regards,
Guilherme.
Hey Peter,
thanks a ton! Works like a breeze.
Best regards,
Zoltán
Hi,
How to automatically select SAP client certificate in Google Chrome
This is easy process to do.
Best Regards,
Hasan
Hi Peter,
I have the opposite problem: I WANT to get the SSO certificate popup. Why? Because I have to use SAP Service Marketplace sometimes not with my internal SAP employee D-user, but with a customer's S-user. So I have to be able to decline the automatic sign on.
With https://service.sap.com that worked fine - I get the popup and I can either confirm the popup to accept the certificate logon, or decline it. Then I get the normal logon popup with user and password. Chrome even remembers the (manual) user/pw if this feature is enabled.
But now with the new service portal support.sap.com I don't get the popup anymore! I get logged on with my SAP D-user automatically and silently. If I log out and on again, the same - no popup, and SSO logon.
How can I get the popup for support.sap.com?
I checked my registry. Under HKEY_LOCAL_MACHINE\SOFTWARE\Policies there is no entry "Google".
I also tried your Powershell module, but miss the option to list the websites that are currently enabled for certificate logon. So I don't know what to remove (and according to the registry there is nothing to remove, I'm afraid ...).
Best regards,
Peter
Hi Peter,
I have the same question as Peter Muthsam. I have an S-User account that I need to log into the www.service.sap.com. However, I keep being logged in automatically with I# certificate.
Best regards,
Bob
I have the same problem, which all the CESMs are now encountering since an automatic update of Chrome happened recently.
I have my "I" Number certificate, plus several "S" User certificates in my SAP Passport, one for each of my customers.
I need to be able to select the appropriate certificate to access the SAP Support Portal (SSP) acting as a customer.
Hello,
I am also facing the same problem.
Do we have any workaround/fix for this issue.
Regards,Sahil