Robert McMurray's Blog [MSFT]

Discussing IIS, FTP, WebDAV, FPSE, WMI, ADSI, ISAPI, ASP, FastCGI, etc. ;-)

How to trust the IIS Express Self-Signed Certificate

How to trust the IIS Express Self-Signed Certificate

Rate This
  • Comments 4

I had an interesting question from a coworker today that I thought would make a great blog. Here's the scenario...

Problem Description

My coworker was using WebMatrix to create a website, although he could have been using Visual Studio and he would have run into the same problem. The problem he was seeing was that his application required HTTPS, but he was greeted with the following error message every time that he used Internet Explorer to browse to his development website at https://localhost:44300/:

When he clicked the link to Continue to this website, he could click on Certificate error in the address bar, which would inform him that the website was using an Untrusted certificate:

If he clicked View certificates, the Certificate dialog box informed him that the CA Root certificate was not trusted:

Cause

Since my coworker was using WebMatrix with IIS Express, which is the default development web server for WebMatrix and Visual Studio, all HTTPS communication was using the self-signed certificate from IIS Express. Since that certificate is self-signed, it is not trusted as if it was issued from a "Trusted Root Certification Authority," and therefore Internet Explorer (or any other security-conscious web browser) was doing the right thing by warning the end-user that they were using an untrusted certificate for HTTPS.

If you were seeing this error when browsing to an Internet website, this would be "A Very Bad Thing™", because you might be sending your confidential information to an untrusted website.

Resolutions

Fortunately this situation can be easily rectified, and there are two different approaches that you can use, and I will discuss both in the subsequent sections.

Resolution Number #1 - Configure your personal account to trust the IIS Express Certificate

The easiest solution is to configure your user account to trust the self-signed certificate as though it were issued by a trusted root certificate authority. To do so, use the following steps:

  1. Browse to https://localhost:44300/ (or whatever port IIS Express is using) using Internet Explorer and click Continue to this website:
  2. Click on Certificate error in the address bar, and then click View certificates:
  3. When the Certificate dialog box is displayed, click Install Certificate:
  4. When the Certificate Import Wizard is displayed, click Next:
  5. Click Place all certificates in the following store, and then click Browse:
  6. When the Select Certificate Store dialog box is displayed, click Trusted Root Certification Authorities, and then click OK:
  7. On the Certificate Import Wizard, click Next:
  8. When the Completing the Certificate Import Wizard page is displayed in the wizard, click Finish:
  9. When the Security Warning dialog box is displayed, click Yes to trust the certificate:
  10. Click OK when the Certificate Import Wizard informs you that the import was successful:

Resolution Number #2 - Configure your computer to trust the IIS Express Certificate

A more-detailed approach is to configure your computer system to trust the IIS Express certificate, and you might want to do this if your computer is shared by several developers who log in with their individual accounts. To configure your computer to trust the IIS Express certificate, use the following steps:

  1. Open a blank Microsoft Management Console by clicking Start, then Run, entering "mmc" and clicking OK:

    Note: You can also open a blank Microsoft Management Console by typing "mmc" from a command prompt and pressing the Enter key.
  2. Add a snap-in to manage certificates for the local computer:
    1. Click File, and then click Add/Remove Snap-in:
    2. When the Add or Remove Snap-ins dialog box is displayed, click Certificates, and then click Add:
    3. When the Certificates Snap-ins dialog box is displayed, click Computer account, and then click Next:
    4. Click Local computer, and then click Finish:
    5. Click OK to close the Add or Remove Snap-ins dialog box:
  3. Export the IIS Express certificate from the computer's personal store:
    1. In the Console Root, expand Certificates (Local Computer), then expand Personal, and then click Certificates:
    2. Select the certificate with the following attributes:
      • Issued to = "localhost"
      • Issued by = "localhost"
      • Friendly Name = "IIS Express Development Certificate"
    3. Click Action, then click All Tasks, and then click Export:
    4. When the Certificate Export Wizard is displayed, click Next:
    5. Click No, do not export the private key, and then click Next:
    6. Click DER encoded binary X.509 (.CER), and then click Next:
    7. Enter the path for exported certificate, e.g. "c:\users\robert\desktop\iisexpress.cer", and then click Next:
    8. Click Finish to export the certificate:
    9. Click OK when the Certificate Export Wizard displays a dialog box informing you that the export was successful:
  4. Import the IIS Express certificate to the computer's Trusted Root Certification Authorities store:
    1. In the Console Root, expand Certificates (Local Computer), then expand Trusted Root Certification Authorities, and then click Certificates:
    2. Click Action, then click All Tasks, and then click Import:
    3. When the Certificate Import Wizard is displayed, click Next:
    4. Enter the path to your exported certificate, e.g. "c:\users\robert\desktop\iisexpress.cer", and then click Next:
    5. Ensure that Place all certificates in the following store is checked and verify that the selected Certificate store is set to Trusted Root Certification Authorities, and then click click Next:
    6. Click Finish to import the certificate:
    7. Click OK when the Certificate Import Wizard displays a dialog box informing you that the import was successful:
    8. You IIS Express certificate should now be displayed in the listed of Trusted Root Certification Authorities as "localhost":

Testing the Certificate Installation

Once you have completed all of the steps in one of the resolutions, you should use the following steps to test the installation of your IIS Express certificate as a trusted root certification authority:

  1. Close all instances of Internet Explorer that you have open.
  2. Re-open Internet Explorer, then browse to to https://localhost:44300/ (or whatever port IIS Express is using); your website should be displayed without prompting you to verify that you want to continue to the website.
  3. Click the Security Report icon in the address bar you should see that the website has been identified as localhost:
  4. If you click View certificates, you should now see that the certificate is trusted to ensure the identity of the computer:

In Closing...

This blog was a little longer than some of my past blogs, but it should provide you with the information you need to trust HTTPS-based websites that you are developing with IIS Express.

That wraps it up for today's blog post. ;-]

Comments
  • it's too much work to do!

    how about this method?

               var fileName = "test.cer";

               var cert = new X509Certificate2(fileName);

               var store = new X509Store(StoreName.My, StoreName.Root);

               store.Open(OpenFlags.ReadWrite);

               try

               {

                   var contentType = X509Certificate2.GetCertContentType(fileName);

                   var pfx = cert.Export(contentType);

                   cert = new X509Certificate2(pfx, (string)null, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.MachineKeySet);

                   store.Add(cert);

               }

               finally

               {

                   store.Close();

               }

  • Great

  • THANK YOU!

  • The cert details dialog box does not include Install Certificate button....

Page 1 of 1 (4 items)
Leave a Comment
  • Please add 8 and 6 and type the answer here:
  • Post