Chrome 58+ drops support for CN in SSL certs, which means (at least on my machine) that browsing sites hosted in IIS Express throw constant security warnings.
How do I change my IIS Express SSL certificate for one that will work with Chrom 58+?
Asked
Active
Viewed 1.6k times
5 Answers
47
This is how I fixed this. There may be an easier way (I'm sure there is!)
Step 1 - Open Windows PowerShell (in admin mode) and generate a certificate like this:
New-SelfSignedCertificate -DnsName "localhost", "localhost" -CertStoreLocation "cert:\LocalMachine\My"
Keep the thumbprint safe.
Step 2 - Open a command prompt (in admin mode) and run these commands.
The first will delete the current IIS Express certificate for ports 44300-44399.
for /L %i in (44300,1,44399) do netsh http delete sslcert ipport=0.0.0.0:%i
The next will add your new certificate to those ports. Change the thumbprint obviously.
for /L %i in (44300,1,44399) do netsh http add sslcert ipport=0.0.0.0:%i certhash=33459ADA4D5329673604F43A073B7F43084818A7 appid={214124cd-d05b-4309-9af9-9caa44b2b74a}
The appid is for IIS Express 10 I believe. You may want to check your IIS Express appid is the same as mine first. To do that do this:
netsh http show sslcert
Step 3 - Restart IIS Express and Chrome, then run up one of your sites in Chrome.
It'll give you the security warning again. Proceed to the page then go into settings > advanced settings, HTTPS/SSL Manage certificates. In here, export the certificate from Personal and import the certificate to Trusted Root Certificate Authorities (I did it as .p7b) then restart Chrome.
Try the site again - you should be secure now.
You can do all this outside of Chrome in certmgr as well.
Edit: Alternate steps for Step 3 above using certmgr:
- Hit win key and type "certmgr" to open the Windows cert manager.
- Expand Certificates - Local Computer > Personal > Certificates and find the cert you just created (it should be issued to localhost and have an expiration one year from the current date).
- Select the cert and ctrl-c to copy.
- Expand Certificates - Local Computer > Trusted Root Certification Authorities > Certificates and ctrl-v to paste.
Bradley Mountford
- 8,195
- 4
- 41
- 41
Chris
- 3,081
- 3
- 32
- 37
-
This is what I had to do as well. Basically the IIS Express Development Certificate became invalid with Chrome 58 because it does not have the Subject Alternative Name property. – travis.js Apr 28 '17 at 15:08
-
1This worked great for me. And you can use the cert manager to copy/move the cert to the Trusted Root Certification Authorities store (just ctrl-c in the Personal store and then ctrl-v into the trusted store). – Bradley Mountford May 01 '17 at 18:36
-
Thanks for this. It really helped. I also had to add certstorename=MY when adding the certificate to the ports. – smartdirt May 03 '17 at 14:24
-
1Your "for" statement did not work for me in PowerShell, but this did `44300..44399 | %{netsh http show sslcert ipport=0.0.0.0:$_}`. Nevertheless, thanks for the useful answer. :D – Chiramisu May 15 '17 at 22:54
-
If you do it visually using Jexus Manager, then no need to remember the certificate hash, https://blog.lextudio.com/why-chrome-says-iis-express-https-is-not-secure-and-how-to-resolve-that-d906a183f0 – Lex Li Jun 15 '17 at 04:16
-
Great! Worked for me. But using certmgr I didn't find my cert in Certificates - Local Computer > Personal > Certificates but in Certificates - Current User >Intermediate Certificate Authorities> Certificates. Thank you! – Dov Miller Jun 25 '17 at 12:43
-
Awesome. I know very little about SSL certificate security. Can someone explain (provide a link?) how and why the certificate gets hooked up to these ports and why just deleting the certificate (using the MMC snapin) and replacing it with the new certificate doesn't resolve the issue? Presumably the CN property specified all ports.... I'd just like to know. – Anthony Aug 13 '17 at 11:40
-
1LOL. I just found my comment above after some months and it was just what I needed. Was gonna upvote, then realized it was mine and I couldn't. :P – Chiramisu Feb 08 '18 at 23:10
-
When the certificate expires is there a way to renew it or must I go thru the whole process to create a new one? – Dov Miller Jul 05 '18 at 12:58
-
Note: It should not matter what appid you use, since it's purely [free of choice](https://stackoverflow.com/questions/537173/what-appid-should-i-use-with-netsh-exe). – Martin Braun Sep 02 '19 at 14:25
29
The answer Chris gave solves the issue, thanks! Because my whole team had this issue, I created a little Powershell script to run the steps in Chris' answer.
https://gist.github.com/camieleggermont/5b2971a96e80a658863106b21c479988
Running this in elevated mode did the trick for me.
Camiel
- 424
- 3
- 4
-
This script is excellent, thank you. I've just used it to re-apply the fix after upgrading to VS2017. I've marked this as the answer :) – Chris Aug 14 '17 at 11:21
-
1I don't suggest this script. Yeah it's a quick fix but it screws you up from doing normal debugging using iisexpress in the future without ssl. I wish I would have never used this. – Post Impatica Sep 07 '17 at 18:29
-
Same experience as @PostImpatica - This (almost irreversibly) damages your configurations. – Zimano Mar 30 '23 at 09:34
7
I am just using this setting until it is fixed in Visual Studio:
chrome://flags/#allow-insecure-localhost
It just prevents having to allow the security exception each time but it will still show the SSL as invalid (red) in your browser bar.
JoeyZero
- 567
- 5
- 16
4
The solution provided by Chris does do the trick (thanks!), but ultimately this should be fixed by the visual studio team. You can vote here in order to bring this issue to their attention: https://developercommunity.visualstudio.com/content/problem/48596/visual-studio-2017-151-264037-crashing-during-code.html
Sander
- 125
- 9
-1
A more visual way to fix it is to use Jexus Manager to,
- Generate a new certificate.
- Let Windows (and Chrome) trust it.
- Bind it to the site.
I documented the exact steps in a blog post.
Lex Li
- 60,503
- 9
- 116
- 147