I had an interesting question from a coworker today that I thought would make a great blog. Here's the scenario...
My coworker was using WebMatrix to create a website, although he could have been using Visual Studio and he would have run into the same problem. The problem he was seeing was that his application required HTTPS, but he was greeted with the following error message every time that he used Internet Explorer to browse to his development website at https://localhost:44300/:
When he clicked the link to Continue to this website, he could click on Certificate error in the address bar, which would inform him that the website was using an Untrusted certificate:
If he clicked View certificates, the Certificate dialog box informed him that the CA Root certificate was not trusted:
Since my coworker was using WebMatrix with IIS Express, which is the default development web server for WebMatrix and Visual Studio, all HTTPS communication was using the self-signed certificate from IIS Express. Since that certificate is self-signed, it is not trusted as if it was issued from a "Trusted Root Certification Authority," and therefore Internet Explorer (or any other security-conscious web browser) was doing the right thing by warning the end-user that they were using an untrusted certificate for HTTPS.
If you were seeing this error when browsing to an Internet website, this would be "A Very Bad Thing™", because you might be sending your confidential information to an untrusted website.
Fortunately this situation can be easily rectified, and there are two different approaches that you can use, and I will discuss both in the subsequent sections.
The easiest solution is to configure your user account to trust the self-signed certificate as though it were issued by a trusted root certificate authority. To do so, use the following steps:
A more-detailed approach is to configure your computer system to trust the IIS Express certificate, and you might want to do this if your computer is shared by several developers who log in with their individual accounts. To configure your computer to trust the IIS Express certificate, use the following steps:
Once you have completed all of the steps in one of the resolutions, you should use the following steps to test the installation of your IIS Express certificate as a trusted root certification authority:
This blog was a little longer than some of my past blogs, but it should provide you with the information you need to trust HTTPS-based websites that you are developing with IIS Express.
That wraps it up for today's blog post. ;-]
it's too much work to do!
how about this method?
var fileName = "test.cer";
var cert = new X509Certificate2(fileName);
var store = new X509Store(StoreName.My, StoreName.Root);
var contentType = X509Certificate2.GetCertContentType(fileName);
var pfx = cert.Export(contentType);
cert = new X509Certificate2(pfx, (string)null, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.MachineKeySet);
The cert details dialog box does not include Install Certificate button....
In my cert error show missmatched address . So how to solve that problem. Please give me some advice thanks
Thanks Rob, your steps helped me fix the problem. Though I am not able to identify why I got into that problem.
I was debugging through my application using the same certificate a while back and I was not getting this problem at all. Which makes me think that the certificate was initially there in the Trusted Root Certification Authorities list and it got removed from there somehow on it's on. Are there any possible events on windows or the IISExpress that would make such a thing happen?
Since I don't see a certificate error in IE, I tried the second approach. But unfortunately I still get prompted by Visual Studio every time I attempt to launch a site with its "Would you like to trust IIS Express SSL certificate?" prompt. Clicking Yes and checking "Don't not ask me again" does not prevent Visual Studio from prompting again next time.
@Calvin - I wonder if User Access Control (UAC) prevented the second solution from working. You should launch the MMC as an administrator and try that again.
Excellent article with a lot of detail - well done Rob. Works perfect.
Excellent. I am glad, that I have a certificate on localhost and not some other obscure local URL.