Trust a self signed cert from IIS

iis certificate ssl-certificate iis-8
Thomas Schneiter picture Thomas Schneiter · Oct 9, 2017 · Viewed 11.1k times · Source

I have an externally hosted iis webserver where i run my website. I would like to add a self signed certificate to this website and trust it on my local client, to remove "Insecure Connection" from the browser.

What i have done so far is the following

  1. Created a self signed certificate in IIS: Server Certificates -> Create self signed Certificate. The cert is issued to the servername e.g "ABCD01"
  2. Created a website with a https binding using the self signed certificate.
  3. Exported the self signed certificate from IIS using: Server Certificates -> Export. This resulted in an .pfx file
  4. Imported the .pfx cert file on the local client: manage computer certificates -> Trusted Root certification authorities -> import
  5. Added the hostname (ABCD01) and ip of the host to the hosts file: C:\Windows\System32\drivers\etc\hosts

When i try to open the website in firefox (using https://ABCD01), i still get the "Your connection is not secure". What am i missing?

Answer

Crypt32 picture Crypt32 · Oct 9, 2017

There are multiple issues:

  1. IIS certificate generator creates self-signed certificates with SHA1 signature algorithm which is obsolete in modern browsers. You have to use different tools to create test certificates. For example, use PowerShell New-SelfSignedCertificate cmdlet where you can specify signature algorithm. Look at this post to get an example: https://stackoverflow.com/a/45284368/3997611
New-SelfSignedCertificate `
    -DnsName "ABCD01" `
    -CertStoreLocation "cert:\LocalMachine\My" `
    -FriendlyName "test dev cert" `
    -TextExtension "2.5.29.37={text}1.3.6.1.5.5.7.3.1" `
    -KeyUsage DigitalSignature,KeyEncipherment,DataEncipherment `
    -Provider "Microsoft RSA SChannel Cryptographic Provider" `
    -HashAlgorithm "SHA256"

  1. IIS certificate generator cannot build certificate with SAN (Subject Alternative Names) certificate extension which is required in Google Chrome. You have to use different tools to create test certificates. Look at the example above for reference.

  2. Google Chrome uses built-in Windows Certificate store to establish a trust, while FireFox uses its own certificate store. Therefore, after adding the certificate to Windows certificate store, you have to import your test certificate to FireFox manually.

Related questions

How to create .pfx file from certificate and private key?

I need .pfx file to install https on website on IIS. I have two separate files: certificate (.cer or pem) and private key (.crt) but IIS accepts only .pfx files. I obviously installed certificate and it is available in certificate …

Read More
How to create a self-signed certificate for a domain name for development?

I have subdomain.example.com that I use for development purposes. My web application solution contains a web API etc, that I need to call from external systems, hence I am not using localhost. I now need to test for …

Read More
How to solve "Could not establish trust relationship for the SSL/TLS secure channel with authority"

Really thought I had this issue fixed, but it was only disguised before. I have a WCF service hosted in IIS 7 using HTTPS. When I browse to this site in Internet Explorer, it works like a charm, this is because …

Read More