IIS, Self-Signed Certificate, and Chrome

Recently, I needed to set up an IIS server for development. I installed a self-signed certificate on the IIS server, since it is never going to be public facing.

It turned out to be a lot of trouble to get the self-signed certificate to work with Chrome.

First I created a domain certificate from the IIS manager. I exported the certificate and installed it on developer workstations' trusted root certificate store. That seemed to work with Internet Explorer and Edge. But it did not work with Chrome.

I read online that Chrome now requires a "Subject Alternative Name".  The IIS manager generated domain certificate did not have a "Subject Alternative Name". Apparently Microsoft's "makecert" does not generate certificates with "Subject Alternative Name" either. So I used the Power Shell command "New-SelfSignedCertificate" and generated a self-signed certificate with "Subject Alternative Name".

That still did not work with Chrome. Chrome's development tool says everything is okay, but the page is not secure (ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY):

 

These self-contradicting results from Chrome is definitely not helpful to me for solving the problem.

I downloaded IIS Crypto (https://www.nartac.com/Products/IISCrypto/). It suggested a bunch of changes for "Best Practice". I made the changes as suggested, and rebooted the server.

Now Chrome is showing the page without any warnings on the certificate.

This is surprising to me because the server is a new installation of Windows Server 2016. Somehow the out-of-the box settings of IIS on such a server is considered insufficient to Chrome.