我们可以简单地允许无效证书用于chrome中的开发目的。

这只对本地主机有效

将以下内容粘贴到chrome地址栏：
chrome：//标志/#允许不安全的本地主机
然后启用突出显示的文本：允许从localhost加载的资源使用无效证书

• • 以下是我使用KeyStore Explorer工具的说明。**以前创建证书时缺少的两件事是：
• 添加Authority Key Identifier（或AKID），选择创建时使用的相同CN=<certificate_name>。
• 添加Basic Constraints选项（不要选择"是CA"）

如果没有这两项功能，Chrome将发出警告/错误**，即使您已将自签名证书**安装到MS-CAPI PKI信任存储中（作为Trusted Root Authority）。
操作步骤：

1. Instructions using KSE (KeyStore Explorer)
2. Create a JKS
3. Creating a self-signed certificate
4. Open KeyStore Explorer
5. File | New | JKS | OK
6. Create a Password for your JKS file
7. File | Save as... | enter your password 
8. Enter file name | OK
9. Tools | Generate Key Pair
10. Select Algorithm and Key Size (i.e. 2048) | OK
11. Select validity period (i.e. 5 years) 
12. Select Name (Book icon) | Enter in Name fields | OK: I.e. “CN=localhost…<or SERVER_NAME>”
13. Add Extensions (Very Important), this determines what type of certificate it will be and how it can be used.  This example will be for a standard server certificate with SSL.
14. Add in the Key Usage item
15. Add in the Digital Signature and Key Encipherment options checkbox
16. Add in the EKU (Extended Key Usage) options
17. Select both of these options: "TLS Web Client Authentication" and "TLS Web Server Authentication"
18. Add in the SANs (Subject Alternative Name)
19. Add in all the needed DNS names and IP Addresses (if applicable) for which this server will be used. (repeat for all desired values) (e.g. 127.0.0.1 and localhost (or <SERVER_NAME>)
20. It will look something like this when it's done
21. When it's done you will see all the fields with the OIDs (Object Identifiers) listed | OK | OK
22. Add in the AKID (Authority Key Identifier)
23. Add Extensions "+"
24. Add Extension Type | Authority Key Identifier
25. Select the Authority Cert Issuer of the CN that you created above (.e.g "CN=localhost...") | OK
26. Add in a "Basic Constraints" (do NOT check "Subject is a CA")
27. When you're done you'll see these listed: hit "OK"

/**
 * Note: the Basic Constraints and AKID (Authority Key Identifer) are needed 
 * for the Chrome Browser to validate the self-signed certificate as a 
 * trusted certificate. Otherwise you'll see warning or error messages even 
 * after you have add this certificate, explicitly, to your MS-CAPI Trusted 
 * Root certificates.
 **/

28. Enter in the Alias of the keypair name you want to use
29. Enter in the private keypair password

/**
 * Note: this password MUST be the same as the JKS file keystore password or 
 * Java may fail silently when trying to use this certificate.
 **/
 
30. You should see a message indicating success. | OK 
31. Then, save the File | Save

我在this之后修复了完全相同的问题。
问题似乎出在证书的创建方式上。
下面的代码来自上面的站点。

#!/usr/bin/env bash
mkdir ~/ssl/
openssl genrsa -des3 -out ~/ssl/rootCA.key 2048
openssl req -x509 -new -nodes -key ~/ssl/rootCA.key -sha256 -days 1024 -out ~/ssl/rootCA.pem

#!/usr/bin/env bash
sudo openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <( cat server.csr.cnf )

sudo openssl x509 -req -in server.csr -CA ~/ssl/rootCA.pem -CAkey ~/ssl/rootCA.key -CAcreateserial -out server.crt -days 500 -sha256 -extfile v3.ext

服务器. csr.cnf文件

[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn

[dn]
C=US
ST=New York
L=Rochester
O=End Point
OU=Testing Domain
emailAddress=your-administrative-address@your-awesome-existing-domain.com
CN = localhost

v3.ext文件

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost

有一个很棒的基于Java的GUI实用程序，我使用它来创建和操作PKI的所有东西，称为KeyStore Explorer。它比所有命令行选项都简单得多：
http://keystore-explorer.org/

1.打开Chrome浏览器
1.在浏览器地址栏中输入以下链接，然后按Enter键。
chrome：//标志/#允许不安全的本地主机
1.选择“允许从本地主机加载的资源使用无效证书”。”已禁用“更改为”已启用“。
希望你的问题能解决。谢谢

我发现这个纯粹是偶然的：如果你安装了Fiddler并让它在后台运行，你的应用程序第一次运行时会打开一个带有证书问题的弹出窗口，如果你点击"是"，它将允许你的请求通过。

只需更新您的java（或安装java取决于您的系统架构（32或64位））。
安装后，重新启动chrome浏览器，然后它会工作正常。
我已经面对这个问题很长时间了。我刚刚发现这一点，它对我很有效。

尝试禁用所有浏览器扩展并检查问题是否已解决。