Self-Signed Certificate in Windows 2016 using IIS 10 Question

I am attempting to create a self-signed certificate on a Windows 2016 machine (running IIS 10).

With the "Server Certificates" selection under the Server name (in IIS) I choose "Create Self-Signed Certificate", enter the host name and save it to "Personal".

I go into the Certificate Store (via MMC "Certificates" snap-in), export the file as a PFX file and then re-import it. I'm not sure this is a necessary step, but I've been testing as much as I can.

I see the certificate under "Bindings" when I go to the site, but Google Chrome still gives an error: NET::ERR_CERT_AUTHORITY_INVALID

It's not isolates to Chrome, because Internet Explorer and Firefox both show an error.

What am I doing wrong? Have I missed a step to get a self-signed certificate to work on my machine?

Thanks!
TessandoIT AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
Well self signed certificate are third rate citizens at best,  as they provide no confirmation of identity.
And as such any compare of a certificate with known trusted CA ones will fail that is no, or should not be a, surprise.

You may be able to accept them as an "exception" ...
0
David Johnson, CD, MVPOwnerCommented:
also add the certificate to the trusted root providers.. this will work for all but Firefox as firefox has it's own certificate store
0
TessandoIT AdministratorAuthor Commented:
Thanks for the suggestions.

@David - Is "trusted root providers" named "Trusted Root Certification Authorities"? This is what I see in my Certificates snap-in:

certificates-view.png
Is that where I should install the certificate?

Thanks
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

David Johnson, CD, MVPOwnerCommented:
yes it is needed in both repositories
0
TessandoIT AdministratorAuthor Commented:
Thanks for the suggestion. I've placed the Self-Signed SSL into both Certificates -> Personal -> Certificates and Certificates -> Trusted Root Certification Authorities -> Certificates and I still can't seem to get this to work. I even restarted IIS before attempting in a browser.

I attempted this with another site that is hosted in IIS, soup-to-nuts and got the same results.

I think at this point it's probably best to focus on the process itself, as opposed to the error Chrome is giving me.

I generate CSR's to produce high-level EV SSL's, so I'm familiar with the model of generating and sending those off (from IIS). That said, is the best way to create a Self-Signed Certificate for use in IIS to select "Server Certificates" in IIS and choose "Create Self-Signed Certificate..." or should I create a CSR local to the machine and attempt setup from there?

Thanks again.
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
You need to create a self-signed root CA and add that to trusted root authorities. After that, you can create certs from this "trusted" root CA cert
https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TessandoIT AdministratorAuthor Commented:
@Shaun - Thanks! The article is good, but I'm not sure I completely understand about creating a root CA.

I have, for example, Microsoft Root Certificate Authority certs (under Trusted Root Certification Authorities) that are valid for the next 25 years. Is there a way to create Certificates from that Trusted Root Authority? You'd think that Microsoft would make this chapter-and-verse a little more clear (e.g. the "create self-signed cert" in IIS seems a bit deceitful). I plan on doing this at simply a server to IIS level, meaning that I'm intentionally generating Certificates for use on that machine only.

I'm wondering if this process hasn't changed over the years because I'm getting so many 2k8 and 2k12r2 results when I do some Google-Fu on this one. Either that, or I'm digging in the wrong place...

Anyway, thanks for the article share. I will have to get buy-off on installing OpenSSL on a server (even though I have it locally installed on a VM).
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
For those, you can buy a certificate so that you can leverage these trusted root certificated.
It can be as low as $6, even free if you are okay with renewing every 6 months
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
iis10

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.