{"id":12275,"date":"2025-11-03T11:00:10","date_gmt":"2025-11-03T10:00:10","guid":{"rendered":"https:\/\/www.basyskom.de\/?p=12275"},"modified":"2025-11-03T11:48:21","modified_gmt":"2025-11-03T10:48:21","slug":"qt-webengine-custom-server-certificates","status":"publish","type":"post","link":"https:\/\/www.basyskom.de\/en\/qt-webengine-custom-server-certificates\/","title":{"rendered":"Qt WebEngine Custom Server Certificates"},"content":{"rendered":"
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t
One of our clients is building an application with a web-based front-end. In order to provide a clean, controlled environment where no browser extensions or user settings interfere, it is viewed in a dedicated browser built with Qt WebEngine.<\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThe corresponding web server uses a self-signed TLS certificate. That\u2019s fair for the environment where the application is deployed in. However, this also means that the certificate and its issuing CA must be added to the system\u2019s trust store. Adding a new Root CA rightfully needs administrative privileges, but is also not really what we want: the certificate is only relevant for our application and we want it to run without such pre-configuration.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Since Qt 5.13, Qt WebEngine has had an in-memory client<\/em> certificate store where you can add additional certificates without affecting the system\u2019s certificate store. However, there has been no API to add server<\/em> certificates. Luckily, Chromium 122, which coincidentally is the base for Qt 6.8 LTS, refactored certificate handling: the creation parameters for its \u201ccert verifier\u201d now accept a list of initial_additional_certificates<\/code> that are considered irrespective of the platform\u2019s trust store. Therefore, we intended to add a new API to QWebEngineProfile<\/code> so an application can provide a QList<QSslCertificate><\/code> of additional certificates.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Unfortunately, since this is only designed to be used during the creation of the cert verifier, our new QWebEngineProfile::setAdditionalTrustedCertificates<\/code> method would take effect only once, before the website is loaded for the first time and subsequent calls effectively did nothing. That\u2019s not a very predictable API design. Luckily again, Qt 6.9 introduced the QWebEngineProfileBuilder<\/code> specifically intended for this kind of \u201cwrite-once\u201d API.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

We moved the method there, added some unit tests, and the just released Qt 6.10 now supports setting additional trusted server certificates:\u00a0QWebEngineProfileBuilder::setAdditionalTrustedCertificates<\/a>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t
auto rootCa = QSslCertificate::fromPath(u"...pem"_s); \/\/ QSslCertificate::fromPath also new in Qt 6.10.\n\nQWebEngineProfileBuilder builder;\nbuilder.setAdditionalTrustedCertificates({rootCa});\n\nm_profile.reset(builder.createProfile(profileName)); <\/code><\/pre>