9

I've been trying for weeks now to get this self signed certificate working in several browsers (Chrome, Firefox, Edge, IE).

I managed to create the certificate and install it as a trusted root certificate but in every browser I have to bypass the security to be able to have the test environment (website with xampp).

Today I have focused on Edge and IE (without success), and since the procedure for chrome is slightly different, I will try to make it work in chrome tomorrow.

I tried both to create a new one, and to duplicate an old (working) one, this way:

To create a new certificate, open powershell as admin, then :

New-SelfSignedCertificate -DnsName "127.0.0.1", "localhost" -CertStoreLocation "cert:\LocalMachine\My"

exported as mentioned in this description.

To clone, I used the example in this documentation.

Then I imported the certificates in the 'trusted root certificate' using certlm.msc.

But I got the error codes DLG_FLAGS_INVALID_CA and DLG_FLAGS_SEC_CERT_CN_INVALID in Edge and IE.

Does someone know a procedure to make this work?
I've been looking al over the net without finding one.

StackzOfZtuff
  • 2,534
  • 1
  • 28
  • 25
user2992220
  • 1,092
  • 1
  • 12
  • 20
  • 1
    You might try using OpenSSL. If you do, avoid ***`CN=www.example.com`***. Hostnames always go in the *SAN*. If its present in the *CN*, then it must be present in the *SAN* too (you have to list it twice in this case). For more rules and reasons, see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) You will also need to place the self-signed certificate in the appropriate trust store. – jww Jul 09 '17 at 02:40

1 Answers1

8

I was trying to do a similar thing and did get the following to work:

New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname localhost -FriendlyName "Dev localhost" -NotAfter (Get-Date).AddMonths(240) -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1")

The 'NotAfter' param extends the cert to 20 years. The 'TextExtension' param configures the cert for 'Server Authentication' only. Without this, it defaults to Client Auth + Server Auth. I haven't researched, but the Client Auth seems to cause an issue (which is odd since most online examples don't mention it; I only found one that did).

This will create the cert in both the LocalComputer\Personal & LocalComputer\Intermediate Certification Authority. It also allows you to select the cert in IIS.

In order to actually run the site, the cert needs to get into the Trusted Root Certification Authority. To accomplish this, you can either export/import the cert or nav to the site in IE, click on the red security area and work your way thru the screens to import the cert. The link above shows the import/export approach.

Final notes:

  • I had to close/re-open IE (11.726.15063) to get the security prompt to go away despite IE telling me that the cert was installed.
  • My site was working fine in chrome (62) after the security warning cleared in IE.
  • I was using localhost and a non-standard port for my site, not a DNS name. Everything seemed fine.

HTH

Steve R.
  • 165
  • 2
  • 9
  • I am getting errors - `New-SelfSignedCertificate : A parameter cannot be found that matches parameter name 'FriendlyName'`. I think it's related to https://serverfault.com/questions/762177/powershell-new-selfsignedcertificate-missing-notbefore-in-windows-2012r2 – sashoalm Mar 20 '18 at 10:27
  • Live saver - specifically the install via IE step. Thanks – phillyslick May 07 '18 at 16:00