Ask a Question

Solution ID : SO29058

Disable Certificate Transparency checking in Chrome on corporate-managed devices

Problem

When internal users connect to a private domain through Chrome (or other Chromium-based application), Chrome shows a warning that the connection is “not private” or “untrusted”, even though the connection is secure and the domain is internally known and trusted within your company.

Error Message

Your connection is not private
Error: NET:ERR_CERTIFICATE_TRANSPARENCY_REQUIRED

Chrome may change the specific message, but the message will indicate that the connection is “not private” or “untrusted” and may specifically reference Certificate Transparency.

Cause

Chrome may show the “not private” or “untrusted” warning because:

  • You chose not to log your SSL certificate with Certificate Transparency, to keep your certificate information private.
  • You chose to log only the root domain for your SSL certificate, to keep your subdomain information private.

Solution

If you have certificate and subdomain information ("private.symantec.com") that must be kept private, apply the CT exemption policy to corporate-managed devices with Chrome/Chromium-based applications so internal users don’t see “untrusted” warnings for specified domains. The CT exemption policy disables the CT check in Chrome when the configured device connects to a specified domain.

Note: The CT exemption policy does not globally exempt an SSL certificate from CT checks – only for devices that are configured with the policy.

Policy name:
CertificateTransparencyEnforcementDisabledForUrls

Chrome/Chromium policy configuration for Windows, Mac, Android, Linux: http://www.chromium.org/administrators/policy-list-3#CertificateTransparencyEnforcementDisabledForUrls.

Policy templates for enterprise provisioning:
https://www.chromium.org/administrators/policy-templates

Additional resources
Learn more about Certificate Transparency.