Chrome 58+ drops support for CN in SSL certs, which means (at least on my machine) that browsing sites hosted in IIS Express throw constant security warnings.
How do I change my IIS Express SSL certificate for one that will work with Chrom 58+?
Add a comment
|
5 Answers
This is how I fixed this. There may be an easier way (I'm sure there is!)
Step 1 - Open Windows PowerShell (in admin mode) and generate a certificate like this:
New-SelfSignedCertificate -DnsName "localhost", "localhost" -CertStoreLocation "cert:\LocalMachine\My"
Keep the thumbprint safe.
Step 2 - Open a command prompt (in admin mode) and run these commands.
The first will delete the current IIS Express certificate for ports 44300-44399.
for /L %i in (44300,1,44399) do netsh http delete sslcert ipport=0.0.0.0:%i
The next will add your new certificate to those ports. Change the thumbprint obviously.
for /L %i in (44300,1,44399) do netsh http add sslcert ipport=0.0.0.0:%i certhash=33459ADA4D5329673604F43A073B7F43084818A7 appid={214124cd-d05b-4309-9af9-9caa44b2b74a}
The appid is for IIS Express 10 I believe. You may want to check your IIS Express appid is the same as mine first. To do that do this:
netsh http show sslcert
Step 3 - Restart IIS Express and Chrome, then run up one of your sites in Chrome.
It'll give you the security warning again. Proceed to the page then go into settings > advanced settings, HTTPS/SSL Manage certificates. In here, export the certificate from Personal and import the certificate to Trusted Root Certificate Authorities (I did it as .p7b) then restart Chrome.
Try the site again - you should be secure now.
You can do all this outside of Chrome in certmgr as well.
Edit: Alternate steps for Step 3 above using certmgr:
- Hit win key and type "certmgr" to open the Windows cert manager.
- Expand Certificates - Local Computer > Personal > Certificates and find the cert you just created (it should be issued to localhost and have an expiration one year from the current date).
- Select the cert and ctrl-c to copy.
- Expand Certificates - Local Computer > Trusted Root Certification Authorities > Certificates and ctrl-v to paste.
-
This is what I had to do as well. Basically the IIS Express Development Certificate became invalid with Chrome 58 because it does not have the Subject Alternative Name property. Commented Apr 28, 2017 at 15:08
-
1This worked great for me. And you can use the cert manager to copy/move the cert to the Trusted Root Certification Authorities store (just ctrl-c in the Personal store and then ctrl-v into the trusted store). Commented May 1, 2017 at 18:36
-
Thanks for this. It really helped. I also had to add certstorename=MY when adding the certificate to the ports. Commented May 3, 2017 at 14:24
-
1Your "for" statement did not work for me in PowerShell, but this did
44300..44399 | %{netsh http show sslcert ipport=0.0.0.0:$_}. Nevertheless, thanks for the useful answer. :D Commented May 15, 2017 at 22:54 -
1LOL. I just found my comment above after some months and it was just what I needed. Was gonna upvote, then realized it was mine and I couldn't. :P Commented Feb 8, 2018 at 23:10
The answer Chris gave solves the issue, thanks! Because my whole team had this issue, I created a little Powershell script to run the steps in Chris' answer.
https://gist.github.com/camieleggermont/5b2971a96e80a658863106b21c479988
Running this in elevated mode did the trick for me.
-
1This script is excellent, thank you. I've just used it to re-apply the fix after upgrading to VS2017. I've marked this as the answer :)– ChrisCommented Aug 14, 2017 at 11:21
-
1I don't suggest this script. Yeah it's a quick fix but it screws you up from doing normal debugging using iisexpress in the future without ssl. I wish I would have never used this. Commented Sep 7, 2017 at 18:29
-
Same experience as @PostImpatica - This (almost irreversibly) damages your configurations.– ZimanoCommented Mar 30, 2023 at 9:34
-
I am just using this setting until it is fixed in Visual Studio:
chrome://flags/#allow-insecure-localhost
It just prevents having to allow the security exception each time but it will still show the SSL as invalid (red) in your browser bar.
The solution provided by Chris does do the trick (thanks!), but ultimately this should be fixed by the visual studio team. You can vote here in order to bring this issue to their attention: https://developercommunity.visualstudio.com/content/problem/48596/visual-studio-2017-151-264037-crashing-during-code.html
A more visual way to fix it is to use Jexus Manager to,
- Generate a new certificate.
- Let Windows (and Chrome) trust it.
- Bind it to the site.
I documented the exact steps in a blog post.
