Every developer working with self-signed certificates has faced this at least once: you modify your certificate configuration, refresh Chrome, and... nothing changes. The browser stubbornly clings to its cached version of your certificate like a dog with its favorite bone.
# Example of regenerating a self-signed cert that won't be recognized
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
# But Chrome keeps showing the OLD expiration date!
Chrome maintains an internal certificate cache separate from the operating system's store. This cache persists across:
- Browser restarts
- System reboots
- Even certificate registry changes
For Chrome 81+ on Windows:
- Close all Chrome instances
- Run PowerShell as Admin:
# Clear Chrome's entire SSL state
Remove-Item -Path "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\*" -Include "TransportSecurity", "SSLCertDecisions", "CertificateRevocation" -Recurse -Force
For targeted removal:
chrome://net-internals/#hsts
1. Query domain in "Delete domain security policies"
2. Check "Include subdomains for PSL"
3. Click Delete
Add these launch flags for development:
chrome.exe --ignore-certificate-errors --disable-web-security --user-data-dir=%TEMP%\chrome-dev-profile
Remember: These are DEVELOPMENT ONLY flags that disable critical security features.
Here's a Python script to automate certificate cache clearance:
import os
import shutil
import platform
def clear_chrome_cert_cache():
system = platform.system()
if system == "Windows":
chrome_data = os.path.expanduser("~\\AppData\\Local\\Google\\Chrome\\User Data")
elif system == "Linux":
chrome_data = os.path.expanduser("~/.config/google-chrome")
elif system == "Darwin":
chrome_data = os.path.expanduser("~/Library/Application Support/Google/Chrome")
cert_files = [
"TransportSecurity",
"SSLCertDecisions",
"CertificateRevocation",
"Network Persistent State"
]
for root, dirs, files in os.walk(chrome_data):
for name in files:
if any(cert_file in name for cert_file in cert_files):
os.remove(os.path.join(root, name))
print("Chrome certificate cache cleared")
clear_chrome_cert_cache()
When working with self-signed certificates during development, Chrome's aggressive caching behavior can cause serious headaches. The browser maintains an internal certificate cache that doesn't always refresh when you regenerate certificates, leading to the infamous "Your connection is not private" errors even after fixing certificate issues.
To confirm Chrome is using a cached version, click the padlock icon (or warning triangle) in the address bar, then select "Certificate". Compare the details (especially expiration date and fingerprint) with your current certificate file:
openssl x509 -noout -dates -fingerprint -in server.crtMethod 1: Clear Chrome's Internal Cache
1. Type chrome://restart in the address bar (forces full restart)
2. Alternatively, use chrome://net-internals/#hsts
3. Scroll to "Delete domain security policies" and enter your domain
Method 2: Nuclear Option (Windows)
Delete Chrome's certificate storage directly:
# PowerShell command
Remove-Item "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\*\Certificates" -Recurse -ForceMethod 3: Certificate Fingerprint Forcing
Add this to your Chrome shortcut properties to bypass certain caches:
--ignore-certificate-errors-spki-list=YOUR_SPKI_FINGERPRINTWhen generating self-signed certs, always include unique identifiers:
openssl req -x509 -newkey rsa:4096 \
-sha256 -days 3650 -nodes \
-keyout server.key -out server.crt \
-subj "/CN=example.com" \
-addext "subjectAltName=DNS:example.com,DNS:localhost" \
-addext "certificatePolicies=1.2.3.4"The -addext parameters help create distinct certificates that Chrome won't confuse with cached versions.