Prevent Internet Explorer from caching SSL client certificates
2014-04
Moses
I use a particular HTTPS website, but I have to separate client certificates that I use to authenticate (sometimes I use one account, which requires certificate A and sometimes a different one, which needs certificate B).
Internet Explorer caches SSL certificates on a per-domain basis, so in order to change to the other certificate, I have to clear the SSL Cache in Internet Options.
Is there any way that I could prevent Internet Explorer from caching SSL certificates for domains?
If not, is there a way that I could clear the SSL cache through a script or command?
I'm using Windows 7, Internet Explorer 9.
harrymc
The thread Clear SSL State using vbscript contains this command :
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 3
The thread how to clear authentication cache on ie7 with Javascript? advices to paste into the address bar :
javascript:void(document.execCommand('ClearAuthenticationCache'));
jaraics
Install both certificates, select the one that you use mostly the next time you visit the site, and than use "InPrivate Browsing" (CTRL+SHIFT+P, or via menu) whenever you need to use the other one.
InPrivate browsing is like if you would have clear all cache, history and start with a brand new/(unused before) browser.
ℝaphink
I have a problem with a website that has an SSL certificate which doesn't correspond to the website domain. Chrome gives me a warning for this website (and rightly so), which I have to ignore manually. Every time I restart Chrome, I need to ignore the certificate issue again.
I've tried adding the certificate as a trusted one with certutil, using C,, and P,, trustargs, but it doesn't work. I can't find a set of trustargs that will tell it to ignore which domain is using the certificate.
Is there a way to tell Chrome (or certutil) to trust this certificate whatever domain uses it?
nickf
This is a summary of the answers from the thread
Disable Google Chrome warning if security certificate is not trusted.
You can avoid the message for trusted sites by installing the certificate.
This can be done by clicking on the warning icon in the address bar, then click
Certificate Information -> Details Tab -> Export...
Save the certificate.Use Chrome's
Preferences -> Under The Hood -> Manage Certificates -> Import.
On the "Certificate Store" screen of the import, choose "Place all certificates in the following store" and browse for "Trusted Root Certification Authorities." Restart Chrome.
harrymc
Please have a look at this thread:
Can't convince Chrome that my Tivo's self signed certificate is ok.
The article remarks that:
You need to specify the "C,," trust flags to work around the NSS bug.
If this thread does relate to your problem, it looks like this is a known bug in Chrome, where the "P,," trust flags is not working: libpkix ignores the P (trusted peer) trust flag
I hope this helps (I'm answering a bit blindly, since I'm not on Linux).
Jonathan Day
Google Chrome in Linux doesn’t have a SSL certificate manager, it relies on the NSS Shared DB. In order to add SSL certificates to the database you will have to use the command line. I will explain how you can add the CAcert certificates and a very easy way to add self-signed certificates.
Please have a look at this thread: blog.avirtualhome.com/2010/02/02/adding-ssl-certificates-to-google-chrome-linux-ubuntu/
Attila O.
Have you tried using the trusttags "TCP,,"?
Tundrome
Using Chrome Version 23.0.1271.97 on Linux:
- First click on the certificate warning and export the certificate to your file system. (Connection > Certificate Information > Details > Export)
Then use certutil in order to add this saved certificate as a trusted peer:
certutil -d sql:$HOME/.pki/nssdb -A -t P -n <certificate nickname> -i <certificate filename>Restart Chrome and you're done.
Treviño
The only way I got it working in Chromium with Ubuntu Linux is using this certutil commandline:
certutil -d sql:$HOME/.pki/nssdb -A -t "CP,CP," -n CertNickName -i cert_file.crt