Search code examples
iiscertificatessl-certificateiis-8

Why won't browsers trust a self-signed SSL certificate from IIS?

I have an externally hosted IIS web server where I run my website. I would like to add a self-signed certificate to this website and trust it on my local client, to remove "Insecure Connection" from the browser.

What I have done so far is the following:

  1. Created a self-signed certificate in IIS via the "Server Certificates -> Create self signed Certificate" path. The certificate is issued to the server name (e.g ABCD01)
  2. Created a website with an HTTPS binding using the self-signed certificate.
  3. Exported the self-signed certificate from IIS using the "Server Certificates -> Export" path. This resulted in a .pfx file
  4. Imported the .pfx certificate file onto the local client via the "manage computer certificates -> Trusted Root certification authorities -> import" path
  5. Added the server's host name (ABCD01) and IP address of the host to the hosts file: C:\Windows\System32\drivers\etc\hosts

However, when I try to open the website in Firefox (using https://ABCD01), I still get the following error:

Your connection is not secure.

Chrome does not work, either. What am I missing?

Solution

  • There are multiple issues:

    1. IIS certificate generator creates self-signed certificates with SHA1 signature algorithm which is obsolete in modern browsers. You have to use different tools to create test certificates. For example, use PowerShell New-SelfSignedCertificate cmdlet where you can specify signature algorithm. Look at this post to get an example: https://stackoverflow.com/a/45284368/3997611
    New-SelfSignedCertificate `
    -DnsName "ABCD01" `
    -CertStoreLocation "cert:\LocalMachine\My" `
    -FriendlyName "test dev cert" `
    -TextExtension "2.5.29.37={text}1.3.6.1.5.5.7.3.1" `
    -KeyUsage DigitalSignature,KeyEncipherment,DataEncipherment `
    -Provider "Microsoft RSA SChannel Cryptographic Provider" `
    -HashAlgorithm "SHA256"

    1. IIS certificate generator cannot build certificate with SAN (Subject Alternative Names) certificate extension which is required in Google Chrome. You have to use different tools to create test certificates. Look at the example above for reference.

    2. Google Chrome uses built-in Windows Certificate store to establish a trust, while FireFox uses its own certificate store. Therefore, after adding the certificate to Windows certificate store, you have to import your test certificate to FireFox manually.