How do I change my IIS Express SSL certificate for one that will work with Chrome 58+?

Chris picture Chris · Apr 28, 2017 · Viewed 11.3k times · Source

Chrome 58+ drops support for CN in SSL certs, which means (at least on my machine) that browsing sites hosted in IIS Express throw constant security warnings.

How do I change my IIS Express SSL certificate for one that will work with Chrom 58+?

Answer

Chris picture Chris · Apr 28, 2017

This is how I fixed this. There may be an easier way (I'm sure there is!)

Step 1 - Open Windows PowerShell (in admin mode) and generate a certificate like this:

New-SelfSignedCertificate -DnsName "localhost", "localhost" -CertStoreLocation "cert:\LocalMachine\My"

Keep the thumbprint safe.

Step 2 - Open a command prompt (in admin mode) and run these commands.

The first will delete the current IIS Express certificate for ports 44300-44399.

for /L %i in (44300,1,44399) do netsh http delete sslcert ipport=0.0.0.0:%i

The next will add your new certificate to those ports. Change the thumbprint obviously.

for /L %i in (44300,1,44399) do netsh http add sslcert ipport=0.0.0.0:%i certhash=33459ADA4D5329673604F43A073B7F43084818A7 appid={214124cd-d05b-4309-9af9-9caa44b2b74a}

The appid is for IIS Express 10 I believe. You may want to check your IIS Express appid is the same as mine first. To do that do this:

netsh http show sslcert

Step 3 - Restart IIS Express and Chrome, then run up one of your sites in Chrome.

It'll give you the security warning again. Proceed to the page then go into settings > advanced settings, HTTPS/SSL Manage certificates. In here, export the certificate from Personal and import the certificate to Trusted Root Certificate Authorities (I did it as .p7b) then restart Chrome.

Try the site again - you should be secure now.

You can do all this outside of Chrome in certmgr as well.

Edit: Alternate steps for Step 3 above using certmgr:

  1. Hit win key and type "certmgr" to open the Windows cert manager.
  2. Expand Certificates - Local Computer > Personal > Certificates and find the cert you just created (it should be issued to localhost and have an expiration one year from the current date).
  3. Select the cert and ctrl-c to copy.
  4. Expand Certificates - Local Computer > Trusted Root Certification Authorities > Certificates and ctrl-v to paste.