方案回顾

Chrome变更导致自签名证书验证方式发生变化

这个方案在Chrome105之前都是运行良好的,然后在Chrome105+ Chrome实施了Chrome Root Program policy(参考阅读),而从Chrome 105之后自签名证书可能不生效(当使用Chrome Root Store),我们可以细看一下相关的改变。
  1. 从维基百科的Google_Chrome_Version_history可以查到Chrome 105的Windows版本是2022-08-30发布的,截止到最新的Chrome Relase history,这个Relase似乎没有说这个事情,但是可以得到发布时间,以便我们后面推理
  1. Chrome Root Program Policy版本变更过程,2022/9/1号 Update to relect the launch of the Chrome Root Program
Version Date Note
1 2020/12/20 Initial release
1.1 2022/6/1 Updated in anticipation of the future Chrome Root Program launch.

Updates include, but are not limited to:future-dated applicant requirements for dedicated TLS-hierarchies and key-pair freshnessclarification of audit expectationsrequirements for cross-certificate issuance notificationdescription of and requirements related to an annual self-assessment processan outline of priority Chrome Root Program initiatives
1.2 2022/9/1 Updated to reflect the launch of the Chrome Root Program.

Updates include, but are not limited to:removal of pre-launch discussionclarifications resulting from the June 2022 Chrome CCADB surveyminor reorganization of normative and non-normative requirements
1.3 2023/1/6 Updated to include the CCADB Self-Assessment
  1. 接下来我们看下ChromeRootStoreEnabled的说明,这是个实验性的到Chrome 113时会被删除
  1. superuser.com(stackoverflow的兄弟网站)上发布的一个问题,从问题的解决过程中用户也是遇到同样的问题, 而IIS自带的自签名证书也同样不受信任

结论

当 Chrome 105 +的ChromeRootStoreEnabled没有设置或者flags/#chrome-root-store-enabled没有设置时,结合Chrome 2022/9/1 变更的 “Updated to reflect the launch of the Chrome Root Program”,“Chrome Root Store may be used depending on feature launch process” 这两点以及上述第4.点的,可以得出Chrome 105 +使用的是Chrome Root Store来验证自签名证书,而很明显这个Chrome Root Store里面不包含我们的证书。

验证方式(需要具备google访问能力)

测试版本Chrome 110
  1. Chrome Root Store设置Default ,预期结果页面无法加载
  1. Chrome Root Store is Enabled ,预期结果页面无法加载
  1. Chrome Root Store is Disabled ,预期结果页面可以加载