How to trust the IIS Express Self-Signed Certificate
I had an interesting question from a coworker today that I thought would make a great blog. Here's the scenario...
Problem Description
My coworker was using WebMatrix to create a website, although he could have been using Visual Studio and he would have run into the same problem. The problem he was seeing was that his application required HTTPS, but he was greeted with the following error message every time that he used Internet Explorer to browse to his development website at https://localhost:44300/:
When he clicked the link to Continue to this website, he could click on Certificate error in the address bar, which would inform him that the website was using an Untrusted certificate:
If he clicked View certificates, the Certificate dialog box informed him that the CA Root certificate was not trusted:
Cause
Since my coworker was using WebMatrix with IIS Express, which is the default development web server for WebMatrix and Visual Studio, all HTTPS communication was using the self-signed certificate from IIS Express. Since that certificate is self-signed, it is not trusted as if it was issued from a "Trusted Root Certification Authority," and therefore Internet Explorer (or any other security-conscious web browser) was doing the right thing by warning the end-user that they were using an untrusted certificate for HTTPS.
If you were seeing this error when browsing to an Internet website, this would be "A Very Bad Thing™ ", because you might be sending your confidential information to an untrusted website.
Resolutions
Fortunately this situation can be easily rectified, and there are two different approaches that you can use, and I will discuss both in the subsequent sections.
Resolution Number #1 - Configure your personal account to trust the IIS Express Certificate
The easiest solution is to configure your user account to trust the self-signed certificate as though it were issued by a trusted root certificate authority. To do so, use the following steps:
- Browse to https://localhost:44300/ (or whatever port IIS Express is using) using Internet Explorer and click Continue to this website:
- Click on Certificate error in the address bar, and then click View certificates:
- When the Certificate dialog box is displayed, click Install Certificate:
- When the Certificate Import Wizard is displayed, click Next:
- Click Place all certificates in the following store, and then click Browse:
- When the Select Certificate Store dialog box is displayed, click Trusted Root Certification Authorities, and then click OK:
- On the Certificate Import Wizard, click Next:
- When the Completing the Certificate Import Wizard page is displayed in the wizard, click Finish:
- When the Security Warning dialog box is displayed, click Yes to trust the certificate:
- Click OK when the Certificate Import Wizard informs you that the import was successful:
Resolution Number #2 - Configure your computer to trust the IIS Express Certificate
A more-detailed approach is to configure your computer system to trust the IIS Express certificate, and you might want to do this if your computer is shared by several developers who log in with their individual accounts. To configure your computer to trust the IIS Express certificate, use the following steps:
- Open a blank Microsoft Management Console by clicking Start, then Run, entering "mmc" and clicking OK:
Note: You can also open a blank Microsoft Management Console by typing "mmc" from a command prompt and pressing the Enter key. - Add a snap-in to manage certificates for the local computer:
- Click File, and then click Add/Remove Snap-in:
- When the Add or Remove Snap-ins dialog box is displayed, click Certificates, and then click Add:
- When the Certificates Snap-ins dialog box is displayed, click Computer account, and then click Next:
- Click Local computer, and then click Finish:
- Click OK to close the Add or Remove Snap-ins dialog box:
- Click File, and then click Add/Remove Snap-in:
- Export the IIS Express certificate from the computer's personal store:
- In the Console Root, expand Certificates (Local Computer) , then expand Personal, and then click Certificates:
- Select the certificate with the following attributes:
- Issued to = "localhost"
- Issued by = "localhost"
- Friendly Name = "IIS Express Development Certificate"
- Click Action, then click All Tasks, and then click Export:
- When the Certificate Export Wizard is displayed, click Next:
- Click No, do not export the private key, and then click Next:
- Click DER encoded binary X.509 (.CER) , and then click Next:
- Enter the path for exported certificate, e.g. "c:\users\robert\desktop\iisexpress.cer", and then click Next:
- Click Finish to export the certificate:
- Click OK when the Certificate Export Wizard displays a dialog box informing you that the export was successful:
- In the Console Root, expand Certificates (Local Computer) , then expand Personal, and then click Certificates:
- Import the IIS Express certificate to the computer's Trusted Root Certification Authorities store:
- In the Console Root, expand Certificates (Local Computer) , then expand Trusted Root Certification Authorities, and then click Certificates:
- Click Action, then click All Tasks, and then click Import:
- When the Certificate Import Wizard is displayed, click Next:
- Enter the path to your exported certificate, e.g. "c:\users\robert\desktop\iisexpress.cer", and then click Next:
- Ensure that Place all certificates in the following store is checked and verify that the selected Certificate store is set to Trusted Root Certification Authorities, and then click click Next:
- Click Finish to import the certificate:
- Click OK when the Certificate Import Wizard displays a dialog box informing you that the import was successful:
- You IIS Express certificate should now be displayed in the listed of Trusted Root Certification Authorities as "localhost":
- In the Console Root, expand Certificates (Local Computer) , then expand Trusted Root Certification Authorities, and then click Certificates:
Testing the Certificate Installation
Once you have completed all of the steps in one of the resolutions, you should use the following steps to test the installation of your IIS Express certificate as a trusted root certification authority:
- Close all instances of Internet Explorer that you have open.
- Re-open Internet Explorer, then browse to to https://localhost:44300/ (or whatever port IIS Express is using); your website should be displayed without prompting you to verify that you want to continue to the website.
- Click the Security Report icon in the address bar you should see that the website has been identified as localhost:
- If you click View certificates, you should now see that the certificate is trusted to ensure the identity of the computer:
In Closing...
This blog was a little longer than some of my past blogs, but it should provide you with the information you need to trust HTTPS-based websites that you are developing with IIS Express.
That wraps it up for today's blog post. ;-]
Comments
Anonymous
November 16, 2013
it's too much work to do! how about this method? var fileName = "test.cer"; var cert = new X509Certificate2(fileName); var store = new X509Store(StoreName.My, StoreName.Root); store.Open(OpenFlags.ReadWrite); try { var contentType = X509Certificate2.GetCertContentType(fileName); var pfx = cert.Export(contentType); cert = new X509Certificate2(pfx, (string)null, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.MachineKeySet); store.Add(cert); } finally { store.Close(); }Anonymous
December 25, 2013
GreatAnonymous
March 07, 2014
THANK YOU!Anonymous
April 07, 2014
The comment has been removedAnonymous
May 05, 2014
In my cert error show missmatched address . So how to solve that problem. Please give me some advice thanksAnonymous
May 14, 2014
Thanks Rob, your steps helped me fix the problem. Though I am not able to identify why I got into that problem. I was debugging through my application using the same certificate a while back and I was not getting this problem at all. Which makes me think that the certificate was initially there in the Trusted Root Certification Authorities list and it got removed from there somehow on it's on. Are there any possible events on windows or the IISExpress that would make such a thing happen?Anonymous
June 04, 2014
Thank you!Anonymous
June 09, 2014
Since I don't see a certificate error in IE, I tried the second approach. But unfortunately I still get prompted by Visual Studio every time I attempt to launch a site with its "Would you like to trust IIS Express SSL certificate?" prompt. Clicking Yes and checking "Don't not ask me again" does not prevent Visual Studio from prompting again next time.Anonymous
June 09, 2014
@Calvin - I wonder if User Access Control (UAC) prevented the second solution from working. You should launch the MMC as an administrator and try that again.Anonymous
November 25, 2014
Excellent article with a lot of detail - well done Rob. Works perfect.Anonymous
November 25, 2014
Excellent. I am glad, that I have a certificate on localhost and not some other obscure local URL.Anonymous
February 26, 2015
I have similar problem with my company Polycom video conference system. If I try to access through the IE browser to connect the polycom (the browser address is based on an fixed IP Address connect to the polycom), there will be this certificate error message : The security certificate presented by this website was not issued by a trusted certificate authority. The problem might indicate an attempt to fool you or intercept any data you send to the server. We recommend that you close this webpage. Any one had this problem and would like to share how to resolve this ???Anonymous
March 03, 2015
Well.. after almost a day I finally did it! Thank youAnonymous
March 26, 2015
Thank you for taking the time to create this write-up. Couldn't find a clear answer anywhere else. Resolution #2 worked for me.Anonymous
May 11, 2015
elegant solution (#2 for me) for allowing IIS to work on localhost:port in development environmentAnonymous
July 16, 2015
Hi Rob, Res 1 did not work for me. Tried Res 2 but there's no cert found in the personal folder under certificates. Please help. ThanksAnonymous
July 13, 2016
This post is awesome and solved my problem. I followed the solution # 2 and it worked like a charm for a Excel add-in for Office 365 in VS 2015. Your screen shots are v. helpful.Thank you so much. Keep up the good work.Best Regards,From Los Angeles, CaliforniaAnonymous
August 22, 2016
Really helped, thank you very much!Anonymous
January 24, 2017
Tried this and it did not work but repairing IIS Express did.Start Menu > Programs and FeaturesSelect IIS 10.0 ExpressRepairAnonymous
March 20, 2017
Thank you very much for this post help me out trying to setup a MVC Core application using Google Authentication that requires HTTPS to talk to the APIAnonymous
July 22, 2017
Thanks a lot for this post.Anonymous
July 25, 2017
Great for IE but doesn't work for Chrome...Anonymous
September 26, 2017
I have create a ssl certificate but I want to install in visual studio asp.net c# project. now tell me how to import to in visual studio projectAnonymous
February 09, 2019
As much as I appreciate the effort here, there might be an issue with both these methods in the way that there could be potential conflicts with any already existing "localhost" certificate(s) within the OS's store that probably should be deleted first. These unwanted certs should probably also be deleted from within the current user account's store. Once these are deleted then the "repair" process could be invoked on the IIS Express installation which will then create a new fresh unsigned cert that can then be installed into the trusted store. Then with all future projects VS will use this trusted cert to synchronize with any IIS Express dynamically created SSL ports 44300-44399. Deleting all the existing "localhost" certs first then letting IIS Express create a brand new cert will produce a fresh start which could reduce future issues from all the previously existing/superfluous certs.