diff --git a/atom/browser/api/atom_api_app.cc b/atom/browser/api/atom_api_app.cc
index 95db0c61ed7f..73f4b3927728 100644
--- a/atom/browser/api/atom_api_app.cc
+++ b/atom/browser/api/atom_api_app.cc
@@ -17,6 +17,7 @@
 #include "atom/common/native_mate_converters/callback.h"
 #include "atom/common/native_mate_converters/net_converter.h"
 #include "atom/common/native_mate_converters/file_path_converter.h"
+#include "atom/common/native_mate_converters/gurl_converter.h"
 #include "atom/common/node_includes.h"
 #include "atom/common/options_switches.h"
 #include "base/command_line.h"
@@ -27,6 +28,7 @@
 #include "chrome/common/chrome_paths.h"
 #include "content/public/browser/client_certificate_delegate.h"
 #include "content/public/browser/gpu_data_manager.h"
+#include "content/public/browser/render_frame_host.h"
 #include "content/public/common/content_switches.h"
 #include "native_mate/dictionary.h"
 #include "native_mate/object_template_builder.h"
@@ -216,30 +218,49 @@ void App::OnFinishLaunching() {
 }
 
 void App::OnLogin(LoginHandler* login_handler) {
-  // Convert the args explicitly since they will be passed for twice.
   v8::Locker locker(isolate());
   v8::HandleScope handle_scope(isolate());
-  auto web_contents =
-      WebContents::CreateFrom(isolate(), login_handler->GetWebContents());
-  auto request = mate::ConvertToV8(isolate(), login_handler->request());
-  auto auth_info = mate::ConvertToV8(isolate(), login_handler->auth_info());
-  auto callback = mate::ConvertToV8(
-      isolate(),
+  bool prevent_default = Emit(
+      "login",
+      WebContents::CreateFrom(isolate(), login_handler->GetWebContents()),
+      login_handler->request(),
+      login_handler->auth_info(),
       base::Bind(&PassLoginInformation, make_scoped_refptr(login_handler)));
 
-  bool prevent_default =
-      Emit("login", web_contents, request, auth_info, callback);
-
-  // Also pass it to WebContents.
-  if (!prevent_default)
-    prevent_default =
-        web_contents->Emit("login", request, auth_info, callback);
-
   // Default behavior is to always cancel the auth.
   if (!prevent_default)
     login_handler->CancelAuth();
 }
 
+void App::AllowCertificateError(
+    int pid,
+    int fid,
+    int cert_error,
+    const net::SSLInfo& ssl_info,
+    const GURL& request_url,
+    content::ResourceType resource_type,
+    bool overridable,
+    bool strict_enforcement,
+    bool expired_previous_decision,
+    const base::Callback<void(bool)>& callback,
+    content::CertificateRequestResultType* request) {
+  auto rfh = content::RenderFrameHost::FromID(pid, fid);
+  auto web_contents = content::WebContents::FromRenderFrameHost(rfh);
+
+  v8::Locker locker(isolate());
+  v8::HandleScope handle_scope(isolate());
+  bool prevent_default = Emit("certificate-error",
+                              WebContents::CreateFrom(isolate(), web_contents),
+                              request_url,
+                              cert_error,
+                              ssl_info.cert,
+                              callback);
+
+  // Deny the certificate by default.
+  if (!prevent_default)
+    *request = content::CERTIFICATE_REQUEST_RESULT_TYPE_DENY;
+}
+
 void App::SelectClientCertificate(
     content::WebContents* web_contents,
     net::SSLCertRequestInfo* cert_request_info,
@@ -248,7 +269,7 @@ void App::SelectClientCertificate(
       shared_delegate(delegate.release());
   bool prevent_default =
       Emit("select-client-certificate",
-           api::WebContents::CreateFrom(isolate(), web_contents),
+           WebContents::CreateFrom(isolate(), web_contents),
            cert_request_info->host_and_port.ToString(),
            cert_request_info->client_certs,
            base::Bind(&OnClientCertificateSelected,
diff --git a/atom/browser/api/atom_api_app.h b/atom/browser/api/atom_api_app.h
index c3793cd54267..ee7e02079125 100644
--- a/atom/browser/api/atom_api_app.h
+++ b/atom/browser/api/atom_api_app.h
@@ -51,6 +51,18 @@ class App : public AtomBrowserClient::Delegate,
   void OnLogin(LoginHandler* login_handler) override;
 
   // content::ContentBrowserClient:
+  void AllowCertificateError(
+      int render_process_id,
+      int render_frame_id,
+      int cert_error,
+      const net::SSLInfo& ssl_info,
+      const GURL& request_url,
+      content::ResourceType resource_type,
+      bool overridable,
+      bool strict_enforcement,
+      bool expired_previous_decision,
+      const base::Callback<void(bool)>& callback,
+      content::CertificateRequestResultType* request) override;
   void SelectClientCertificate(
       content::WebContents* web_contents,
       net::SSLCertRequestInfo* cert_request_info,
diff --git a/atom/browser/api/atom_api_session.cc b/atom/browser/api/atom_api_session.cc
index 6527f67ab3f1..3510a21668e9 100644
--- a/atom/browser/api/atom_api_session.cc
+++ b/atom/browser/api/atom_api_session.cc
@@ -238,12 +238,6 @@ void SetProxyInIO(net::URLRequestContextGetter* getter,
   RunCallbackInUI(callback);
 }
 
-void PassVerificationResult(
-    scoped_refptr<AtomCertVerifier::CertVerifyRequest> request,
-    bool success) {
-  request->ContinueWithResult(success ? net::OK : net::ERR_FAILED);
-}
-
 }  // namespace
 
 Session::Session(AtomBrowserContext* browser_context)
@@ -262,19 +256,6 @@ Session::~Session() {
   Destroy();
 }
 
-void Session::RequestCertVerification(
-    const scoped_refptr<AtomCertVerifier::CertVerifyRequest>& request) {
-  bool prevent_default = Emit(
-      "untrusted-certificate",
-      request->args().hostname,
-      request->args().cert,
-      base::Bind(&PassVerificationResult, request));
-
-  if (!prevent_default)
-    // Tell the request to use the result of default verifier.
-    request->ContinueWithResult(net::ERR_IO_PENDING);
-}
-
 void Session::OnDownloadCreated(content::DownloadManager* manager,
                                 content::DownloadItem* item) {
   auto web_contents = item->GetWebContents();
diff --git a/atom/browser/api/atom_api_session.h b/atom/browser/api/atom_api_session.h
index db72558db473..ebcfc45223db 100644
--- a/atom/browser/api/atom_api_session.h
+++ b/atom/browser/api/atom_api_session.h
@@ -54,10 +54,6 @@ class Session: public mate::TrackableObject<Session>,
   explicit Session(AtomBrowserContext* browser_context);
   ~Session();
 
-  // AtomCertVerifier::Delegate:
-  void RequestCertVerification(
-      const scoped_refptr<AtomCertVerifier::CertVerifyRequest>&) override;
-
   // content::DownloadManager::Observer:
   void OnDownloadCreated(content::DownloadManager* manager,
                          content::DownloadItem* item) override;
diff --git a/atom/browser/api/lib/app.coffee b/atom/browser/api/lib/app.coffee
index 44efaa240652..3db4582abc7c 100644
--- a/atom/browser/api/lib/app.coffee
+++ b/atom/browser/api/lib/app.coffee
@@ -38,6 +38,12 @@ app.getAppPath = ->
 # Helpers.
 app.resolveProxy = (url, callback) -> @defaultSession.resolveProxy url, callback
 
+# Routes the events to webContents.
+for name in ['login', 'certificate-error', 'select-client-certificate']
+  do (name) ->
+    app.on name, (event, webContents, args...) ->
+      webContents.emit name, event, args...
+
 # Deprecated.
 {deprecate} = electron
 app.getHomeDir = deprecate 'app.getHomeDir', 'app.getPath', ->
diff --git a/atom/browser/atom_browser_client.cc b/atom/browser/atom_browser_client.cc
index 7049f4896c12..38fdc0e19f9e 100644
--- a/atom/browser/atom_browser_client.cc
+++ b/atom/browser/atom_browser_client.cc
@@ -207,6 +207,26 @@ content::QuotaPermissionContext*
   return new AtomQuotaPermissionContext;
 }
 
+void AtomBrowserClient::AllowCertificateError(
+    int render_process_id,
+    int render_frame_id,
+    int cert_error,
+    const net::SSLInfo& ssl_info,
+    const GURL& request_url,
+    content::ResourceType resource_type,
+    bool overridable,
+    bool strict_enforcement,
+    bool expired_previous_decision,
+    const base::Callback<void(bool)>& callback,
+    content::CertificateRequestResultType* request) {
+  if (delegate_) {
+    delegate_->AllowCertificateError(
+        render_process_id, render_frame_id, cert_error, ssl_info, request_url,
+        resource_type, overridable, strict_enforcement,
+        expired_previous_decision, callback, request);
+  }
+}
+
 void AtomBrowserClient::SelectClientCertificate(
     content::WebContents* web_contents,
     net::SSLCertRequestInfo* cert_request_info,
diff --git a/atom/browser/atom_browser_client.h b/atom/browser/atom_browser_client.h
index 25849e92d4f7..75e17494593b 100644
--- a/atom/browser/atom_browser_client.h
+++ b/atom/browser/atom_browser_client.h
@@ -57,6 +57,18 @@ class AtomBrowserClient : public brightray::BrowserClient,
                                       int child_process_id) override;
   void DidCreatePpapiPlugin(content::BrowserPpapiHost* browser_host) override;
   content::QuotaPermissionContext* CreateQuotaPermissionContext() override;
+  void AllowCertificateError(
+      int render_process_id,
+      int render_frame_id,
+      int cert_error,
+      const net::SSLInfo& ssl_info,
+      const GURL& request_url,
+      content::ResourceType resource_type,
+      bool overridable,
+      bool strict_enforcement,
+      bool expired_previous_decision,
+      const base::Callback<void(bool)>& callback,
+      content::CertificateRequestResultType* request) override;
   void SelectClientCertificate(
       content::WebContents* web_contents,
       net::SSLCertRequestInfo* cert_request_info,