Skip to main content

Chrome (for Windows only) - HSTS Certificate Exception Instructions

Matt Prytuluk
  • Updated
  • min read

Overview 

 

 

GOOD NEWS!  A solution for this problem that is easier to manage and persistent for all sites is now available!  

As a result, the information below is still applicable but can now be worked around with a permanent solution.  We encourage you to try installing the Cisco Root CA with this article:

https://docs.umbrella.com/product/umbrella/rebrand-cisco-certificate-import-information/

 

 

 

This page is a guide for when a certificate error for *.cisco.com appears in Chrome (for Windows), but it is not able to be bypassed by adding a certificate exception.

The cause of this message is the implementation of HTTP Strict Transport Security (HSTS) or pre-loaded Certificate Pinning in modern browsers which enhances their overall security. This extra security for HTTPS pages prevents the Umbrella block page and bypass block page mechanism from working when HSTS is active for a website. For more information about HSTS, please refer to this article

Note:

Due to changes in HSTS, the Block Page Bypass (BPB) system does not work with certain sites due to non-bypassable certificate errors. In order to allow these sites to work with BPB in Chrome (for Windows), you must use a special switch when starting the browser. Some common sites that will not work with BPBin Chrome include: Facebook, Google Sites such as Gmail and YouTube, Dropbox and Twitter. For a full list of sites, please read here.

 
 

Without disabling Chrome Certificate Checks, attempts to use Block Page Bypass with any of the sites on this protected list will fail, as shown.

HSTS_Twitter.png
 
 

 

Disabling Chrome Certificate Checks (Windows Only)

 


To force Chrome to ignore these errors, you'll need to set your shortcut for Chrome to launch the application with the following switch:

--ignore-certificate-errors

Note that Google may choose to remove this feature at any time and thus it is only recommended as long as it is available:

To add this command line flag to Chrome, right-click the Chrome icon shortcut, select "Properties" and add it to the and selecting "Properties", then adding it to the Target as shown below:

CommandLineCrop.png

 

Once this flag is added, you can use BPB normally on the sites in the pre-loaded HSTS list to be able to bypass them. 

Chrome_Bypass_with_Cert_Warning.png

 

In the example above, although twitter.com is on the HSTS preloaded list, by ignoring the certificate warning we can use Block Page Bypass as designed.

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Related articles