As usual, as soon as I ask the question, I find an answer: https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/IGT2fLJrAeo Now I just need a solution which doesn't involve re-building all the certificates, because some of those I use cannot be rebuilt.