13

I have an externally hosted iis webserver where i run my website. I would like to add a self signed certificate to this website and trust it on my local client, to remove "Insecure Connection" from the browser.

What i have done so far is the following

  1. Created a self signed certificate in IIS: Server Certificates -> Create self signed Certificate. The cert is issued to the servername e.g "ABCD01"
  2. Created a website with a https binding using the self signed certificate.
  3. Exported the self signed certificate from IIS using: Server Certificates -> Export. This resulted in an .pfx file
  4. Imported the .pfx cert file on the local client: manage computer certificates -> Trusted Root certification authorities -> import
  5. Added the hostname (ABCD01) and ip of the host to the hosts file: C:\Windows\System32\drivers\etc\hosts

When i try to open the website in firefox (using https://ABCD01), i still get the "Your connection is not secure". What am i missing?

Thomas Schneiter
  • 1,103
  • 2
  • 19
  • 35
  • 2
    What browser you are using? BTW, you don't need to export the certificate in PFX, you need to export it in `.CER` format without private key. – Crypt32 Oct 09 '17 at 08:21
  • I'm using Firefox or Chrome – Thomas Schneiter Oct 09 '17 at 09:15
  • I have written a very detailed walk-through on how to create self-signed certs for IIS on Windows. It should answer all your questions and give you ways to test and debug the results. See https://stackoverflow.com/a/51261506/430742 – Jpsy Jul 10 '18 at 10:48
  • Try this answer https://stackoverflow.com/a/59733055/10794140 in which i described how to trust a cert in detail. And it also works for firefox. – ezio4df Jan 17 '20 at 10:42

1 Answers1

24

There are multiple issues:

  1. IIS certificate generator creates self-signed certificates with SHA1 signature algorithm which is obsolete in modern browsers. You have to use different tools to create test certificates. For example, use PowerShell New-SelfSignedCertificate cmdlet where you can specify signature algorithm. Look at this post to get an example: https://stackoverflow.com/a/45284368/3997611
New-SelfSignedCertificate `
    -DnsName "ABCD01" `
    -CertStoreLocation "cert:\LocalMachine\My" `
    -FriendlyName "test dev cert" `
    -TextExtension "2.5.29.37={text}1.3.6.1.5.5.7.3.1" `
    -KeyUsage DigitalSignature,KeyEncipherment,DataEncipherment `
    -Provider "Microsoft RSA SChannel Cryptographic Provider" `
    -HashAlgorithm "SHA256"

  1. IIS certificate generator cannot build certificate with SAN (Subject Alternative Names) certificate extension which is required in Google Chrome. You have to use different tools to create test certificates. Look at the example above for reference.

  2. Google Chrome uses built-in Windows Certificate store to establish a trust, while FireFox uses its own certificate store. Therefore, after adding the certificate to Windows certificate store, you have to import your test certificate to FireFox manually.

Crypt32
  • 12,850
  • 2
  • 41
  • 70
  • 1
    Thank you for this explanation! I changed the certificate to SHA256 as you explained. The problem with Firefox was exactly as you explained, the separate certificate store. As soon as it was imported it worked. – Thomas Schneiter Oct 09 '17 at 11:23
  • 6
    Update for anyone finding this answer in 2019: IIS certificate generator now uses the far more secure SHA256RSA algorithm. You can check the algorithm of your certificate by going to `Server Certificates -> Your certificate -> View -> Details`. – Adam Jun 11 '19 at 14:54
  • @Crypt32 how can I set the DnsName to be localhost? Thanks – VAAA Nov 25 '19 at 15:20