Using a custom PEM certificate for SSL validation

In some environments, Chromium may reject a server’s certificate if it cannot be validated using the system’s built-in certificate authorities. This is common in enterprise networks, development environments with self-signed certificates, or internal services using non-public certificate chains.

To address this, Equo Chromium allows you to provide a specific .pem certificate that Chromium will use to verify the server. If the provided certificate matches what the server presents, the connection is allowed.

Usage

To set the custom certificate, specify the path to your PEM certificate using the following system property:

-Dswt.chromium.ssl=/path/to/cert.pem

Replace /path/to/cert.pem with the absolute path to your certificate file. This configuration must be set before any Chromium-based browser instance is created.

How it works

When this property is set, Chromium will compare the provided .pem certificate with the certificate offered by the server during the SSL handshake. If they match exactly, Chromium proceeds with the connection despite the absence of a valid certificate chain.

This is particularly useful for:

  • Testing with self-signed certificates.

  • Accessing internal services with custom or untrusted CAs.

  • Bypassing validation errors during development or diagnostics.

The certificate file must be in PEM format, which is a base64-encoded .crt or .cer file typically used in Unix-based systems.

Obtaining a PEM certificate

You can download a server’s certificate using a web browser or via openssl from the command line.

Use the following openssl command to retrieve and save the certificate from a given server:

echo -n | openssl s_client -connect example.com:443 | openssl x509 > cert.pem

This will output the server’s certificate in PEM format and save it as cert.pem.