Recently, I needed to set up an IIS server for development. I installed a self-signed certificate on the IIS server, since it is never going to be public facing.
It turned out to be a lot of trouble to get the self-signed certificate to work with Chrome.
First I created a domain certificate from the IIS manager. I exported the certificate and installed it on developer workstations' trusted root certificate store. That seemed to work with Internet Explorer and Edge. But it did not work with Chrome.
I read online that Chrome now requires a "Subject Alternative Name". The IIS manager generated domain certificate did not have a "Subject Alternative Name". Apparently Microsoft's "makecert" does not generate certificates with "Subject Alternative Name" either. So I used the Power Shell command "New-SelfSignedCertificate" and generated a self-signed certificate with "Subject Alternative Name".
That still did not work with Chrome. Chrome's development tool says everything is okay, but the page is not secure (ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY):
These self-contradicting results from Chrome is definitely not helpful to me for solving the problem.
I downloaded IIS Crypto (https://www.nartac.com/Products/IISCrypto/). It suggested a bunch of changes for "Best Practice". I made the changes as suggested, and rebooted the server.
Now Chrome is showing the page without any warnings on the certificate.
This is surprising to me because the server is a new installation of Windows Server 2016. Somehow the out-of-the box settings of IIS on such a server is considered insufficient to Chrome.
Thursday, August 30, 2018
Subscribe to:
Posts (Atom)