Windows not accepting Self Signed SSL Certificate

Question

Locally I've created and exported a Self Signed certificate using IIS. The result is a PFX file.

I've loaded that into my ASP.NET Core solution and am spinning up Kestrel like the following:

var certificatePath = Path.GetFullPath(Path.Combine(Directory.GetCurrentDirectory(), "cert.pfx"));
var certificate = new X509Certificate2(certificatePath, "certpass");

HostWeb = builder
    .UseKestrel(options =>
    {
        options.Listen(IPAddress.Loopback, 44321, listenOptions =>
        {
            listenOptions.UseHttps(certificate);
        });
    })
    .UseUrls("https://localhost:44321")
    .UseEnvironment("Test").Build();
HostWeb.Start();

When I run Chrome against this Web server it's still showing not secure.

What am I missing here? Is there anything else I need to configure?

This is not a Kestrel matter. It's an OS matter. The OS, or in Firefox's case the browser, has to trust the cert. Kestrel itself doesn't care what cert you give it, it assumes you know what you're doing. — blowdart, Jul 25 '18 at 15:19
Are you sure the certificate does not use outdated algorithms? If not (e.g. uses SHA-1) it will always be shown as insecure by Chrome no matter if it is trusted. — Robert, Jul 25 '18 at 15:33
https://www.jexusmanager.com/en/latest/tutorials/self-signed.html#to-trust-self-signed-certificate If you want to trust the certificate, Jexus Manager can do it visually. The answer below provides the equivalent PowerShell script. — Lex Li, Jul 25 '18 at 17:20
@Robert, it depends on IIS version. Latest IIS 10 does generate SHA2 certificates. — Lex Li, Jul 25 '18 at 17:23

score 1 · Answer 1 · answered Jul 25 '18 at 18:36

Export the certificate from Chrome, by clicking on "Not Secure", then "Certificate", "Details" tab, and then "Copy to file...", and select a file to write the certificate on your disk.

Then, double-click on the certificate, and click on "Install Certificate...", keep "Store location" as "Current User", select "Place all certificates in the following store", select "Trusted Root Certification Authorities", and then finish the wizard.

The warning that you get will disappear.

Attention: this should be applied only on a development environment.

Daboul · Answer 2 · 2018-08-06T09:58:19.203

I believe you need to register this certificate on the OS level so that it is seen as a valid one. A self-signed certificate won't be by default. I used that link to do it: https://www.humankode.com/asp-net-core/develop-locally-with-https-self-signed-certificates-and-asp-net-core

Particularly that part:

# import the pfx certificate
Import-PfxCertificate -FilePath $pfxFilePath Cert:\LocalMachine\My -Password $pfxPassword -Exportable

# trust the certificate by importing the pfx certificate into your trusted root
Import-Certificate -FilePath $cerFilePath -CertStoreLocation Cert:\CurrentUser\Root

# optionally delete the physical certificates (don’t delete the pfx file as you need to copy this to your app directory)
# Remove-Item $pfxFilePath
Remove-Item $cerFilePath

UPDATE: Your code is setting the certificate your server will present to the client during the secured connection initialization, the handshake. But then, your client has to be able to recognize this certificate as a valid one, he needs to trust it, to trust the authority that has emitted this certificate. For instance, you trust stackoverflow because you trust the authority DigiCert that delivered the certificate their server is presenting to your client.

UPDATE 2: new article on the topic: https://www.hanselman.com/blog/DevelopingLocallyWithASPNETCoreUnderHTTPSSSLAndSelfSignedCerts.aspx

I'm running this sever as part of my UI Test Integrations. So you're saying just including the certificate in code isn't enough? — aherrick, Jul 25 '18 at 14:47
Also, clicking on the '/!\ not secured' in your browser will tell you why your browser rejects the certificate. — Daboul, Jul 25 '18 at 16:11

Windows not accepting Self Signed SSL Certificate

2 Answers2