Using a custom PEM certificate for SSL validation
In some environments, Chromium may reject a server’s certificate if it cannot be validated using the system’s built-in certificate authorities. This is common in enterprise networks, development environments with self-signed certificates, or internal services using non-public certificate chains.
To address this, Equo Chromium allows you to provide a specific .pem
certificate that Chromium will use to verify the server. If the provided certificate matches what the server presents, the connection is allowed.
Usage
To set the custom certificate, specify the path to your PEM certificate using the following system property:
-Dswt.chromium.ssl=/path/to/cert.pem
Replace /path/to/cert.pem
with the absolute path to your certificate file. This configuration must be set before any Chromium-based browser instance is created.
How it works
When this property is set, Chromium will compare the provided .pem
certificate with the certificate offered by the server during the SSL handshake. If they match exactly, Chromium proceeds with the connection despite the absence of a valid certificate chain.
This is particularly useful for:
-
Testing with self-signed certificates.
-
Accessing internal services with custom or untrusted CAs.
-
Bypassing validation errors during development or diagnostics.
The certificate file must be in PEM format, which is a base64-encoded .crt
or .cer
file typically used in Unix-based systems.
Obtaining a PEM certificate
You can download a server’s certificate using a web browser or via openssl
from the command line.
Use the following openssl
command to retrieve and save the certificate from a given server:
echo -n | openssl s_client -connect example.com:443 | openssl x509 > cert.pem
This will output the server’s certificate in PEM format and save it as cert.pem
.