Using Self Signed SSL Certificates on an IIS8 Intranet without Chrome Errors

I’ve just been trying to add a certificate to our intranet site and the standard way of creating and using a self signed in IIS

no longer works in newer versions of Chrome (and probably other browsers*, soon if not now).

UPDATE: March 8, 2018
The certificate works fine in Chrome 64 and Edge 41
It still requires an added exemption in Firefox 58 :\

The old steps were to create the certificate, assign it to the 443 bind in IISAdmin, browse to the site with Chrome, which would throw up an untrusted error which you could bypass in the Advanced tab. Once you had the site loaded, you could add the certificate to your local store. Of course, you had to repeat on every browser on the intranet…which was a huge pain, but worked.

However, with Chrome 64 (and possibly earlier) this is no longer possible. Even when you add the certificate, you will still get a Not Trusted warning.The last thing you want to do is to train users to ignore certificate warnings so it would probably be better to not switch to SSL for intranet except….

It is possible, and actually even easier than the old way since you don’t need to make individual company wide exceptions. The key is that Chrome wants a SAN certificate

Unfortunately, IIS can’t automatically create a self signed SAN certificate, but that doesn’t mean it’s not possible. You just need to use the Certificates MMC Snap in. Robert McMillen has provided an excellent walk through on how to do this on Server 2012 R2.

Once you’ve created the SAN certifcate, just pop back into IISAdmin, go to your site bindings for 443 (or add one) , choose the new certificate and save. Fire up Chrome and browse to the site and you should see this without any warnings.

Don’t forget, you may need to update your intranet website code to ensure all content is served over HTTPS so you avoid a mixed content warning. I use Eclipse so I just did a project wide Search & Replace. You also might want to set up a URL Redirect from HTTP to HTTPS to ensure your users are always using the HTTPS site.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: