SSL Client certificate Microsoft Edge

Question

I am having issue with Client Side certificates in MS Edge browser, Window 10. Basically my PKI structure is following:

RootCA(self signed 4096) -> Intermediate CA (signed by RootCA 2048)-> One Server Certificate, One client Certificate (both signed by Intermediate CA)

Apache setup with following SSL options

SSLCertificateFile - cert generated by Intermediate CA 2048

SSLCertificateKeyFile  - keyfile of above cert

SSLCACertificateFile  - Cert of my Intermediate CA chained with
RootCA cert

SSLCARevocationFile - Crl list generated by Intermediate CA

SSLVerifyClient require 

SSLVerifyDepth 10

SSLOptions +StdEnvVars

Client certificate generated as PKCS#12 chain file.

Now, tested with Firefox, Chrome and Internet Explorer 11 and everything is working as expected - without certificate you get 403 page, while when certificate is imported you can login and certificate is read by PHP file that basically outputs info collected with +StdEnvVars.

On Microsoft Edge v25.10586.0.0 when I go to https location, I get certificate selection window, but when I select appropriate certificate I still get 403 error. It is driving me nuts since it works pretty much everywhere except in Edge browser. Anyone can give me a hand at least where to start looking?

@cechode yeah... all I had to do is relog, and it worked after that properly... Read something about it somewhere but cant recall where exactly — Kosta, Oct 26 '16 at 08:18

score 2 · Accepted Answer · answered Oct 26 '16 at 08:18

2

Of course, issue was more than stupid... For Edge to be able to pickup correct certificate and use it, you have to re-log or reboot...

answered Oct 26 '16 at 08:18

Kosta

189
1
1
9

2

unfortunately this did not work for me. :/ would have been too easy. thanks just the same :) – cechode Oct 26 '16 at 16:30
@cechode sorry to hear that. Stupid question but, you do have your client certificate listed under Personal in certmgr.msc, right? – Kosta Oct 27 '16 at 11:28
i placed out root ca under the localmachine trusted root cert auth store. our intermediate cert into the current user inermediate cert auth and the user cert into the current user personal store. chrome , ie11 work like a charm – cechode Oct 27 '16 at 22:13
@cechode ok here is what I have done with my client auth page... I create RootCA -> Intermediate CA -> Client cert Export Client cert with chain file (so that I have complete chain of trust, yes, when importing on Client machine it will nag you about trusting something, but I can live with that) When imported I have one Certificate under Trusted Root (my Root CA), one under Intermediate Cert (my Intermediate CA), and finally one under Personal certificate (which of course is my Client certificate). When I open it I can see whole chain of trust... And as said, it worked the moment I rebooted – Kosta Oct 28 '16 at 11:06

score -1 · Answer 2 · answered Jul 02 '20 at 14:42

Microsoft EDGE does not directly have a way to manage certificates or import certificates in order to avoid certificate errors. To allow a self-signed certificate to be used by Microsoft-Edge it is necessary to use the "certmgr.msc" tool from the command line to import the certificate as a Trusted Certificate Authority.

This can be done as follows:

Click on the red certificate error message to view the failing certificate
Click on View Certificate
Click on Export to File (any location, foo.crt)
Start a cmd shell and type the command "certmgr.msc" to open the certificate wizard
From the menu bar select "Action" > "All Tasks" > "Import..."
A popup window will appear asking for the "Store Location" Select Current User or Local Machine. Click Next.
A new popup window will appear asking for the File Name: Browse and select your exported certificate file, foo.crt and Click Open.
The popup will now have the full path to your certificate file, foo.crt. Click Next.
A new popup window will appear asking you to allow Windows to choose the "certificate Store" based on the certificate, or allow you to specify the certificate store manually. Select manual option, "Trusted Root Certificate Authority". Click Next.
A final popup will appear "Completing the Certificate Import Wizard". Review the settings and Click Finish.
You should get a "import successful" message.
Close the import wizard application and try the URL again in the EDGE browser. If this worked you will not get the certificate error and the page will load normally.

SSL Client certificate Microsoft Edge

2 Answers2