Whitelisting “Unsecure” Websites in Recent Versions of Chrome for macOS
The latest versions of Chrome (from v57 forward I believe) perform extra checking on websites. This may lead you to encounter “Your connection is not private” and “NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED” warnings when visiting sites that are known safe.
Example:
What generates the alert is that not all companies (mine included) implement our web certificates the way Chrome now expects. Something to do with Chrome and OpenSSL using different trusted root CA’s which makes the trust chain slightly different. To be fair, Chrome now checks this to prevent spoofing and MIM attacks, but it results in false errors and causes Chrome to stop offering to store passwords. Annoying.
Googling how to stop these errors yields many red herrings but few actual results. For example, Chrome v53 did this to many users but v54 fixed it, and you’ll trip over this while searching, as well as Android and Linux posts that don’t help. This post is my attempt to document the actual solution for others who are searching for it.
To whitelist a domain in Chrome, ensure the com.google.chrome.plist file in /Library/Preferences contains:
<key>CertificateTransparencyEnforcementDisabledForUrls</key> <array> <string>[your.domain]</string> <string>[your.domain2]</string> <string>[your.domain3]</string> </array>
You can put as many or as few entries in the array as you like.
Note: Before you try to view com.google.chrome.plist, be aware it is in binary mode. Use this command to convert it to human-readable format:
plutil -convert xml1 com.google.Chrome.plist
The AuthNegotiateDelegateWhitelist key should be persistent and survive Chrome updates. The plist conversion to xml will not.
Kurt Tappe 