Forum Discussion

Raymond Preston's avatar
Raymond Preston
Copper Contributor
Aug 02, 2019

How do i get Edge to trust our internal Certificate Authority

Is there any way to get edge to stop flagging our internal certs as non trusted ? Pkiview.msc shows that there are no problems with the CA windows shows the cert is trusted.   Yet edge marks it as ...
  • Raymond Preston's avatar
    Raymond Preston
    Copper Contributor
    Aug 28, 2019

    v-gapart Yes, On the latest version im still having every single cert signed by our internal CA marked as invalid by edge

     

     

    When i click on the button there it brings up the Windows Certificate Dialog which shows the certificate is fine 

     

     

    Nothing crazy with the cert either its a Windows CA issued cert 

     

    v3 Template
    sha512RSA
    sha512
    RSA 4096

     

    Looks fine in internet explorer.

    • BlakeDrumm's avatar
      BlakeDrumm
      Icon for Microsoft rankMicrosoft
      Mar 28, 2023

      Raymond Preston in my experience the issue was due to the certificate not containing a Subject Alternative Name.

      DNS=MS02-2022.contoso-2022.com

      • naseeb18's avatar
        naseeb18
        Copper Contributor
        Apr 11, 2023

        BlakeDrumm 

         

        i had the same problem with edge and chrome but not internet explorer .

        here what i did to solve it :

         

         

        1) On the destination server that need the certificate , launch mmc

        2) add certificate => loalhost

        3) Create custom Request => Proceed without enrollment policy => No template & PKCS#10

         

        General Tab: 

        4)  Frindly name : certificateWebServer

             full : Common Name( "FDQN") ,email, country, Locality,Organization, Organization unit

        5) in alternatif name , chose DNS and enter the same as Common Name( "FDQN")

        6) in Extension tab => Key usage :

         CRL Signing,Data enciperment,Decipher only,Digital signature, Encipher only

         

            in Extension tab => Extended Key usage :

        server authentificcation

        clientauthentificcation

         

        In private Key : 

         

        4096 and activate "Make private key exportable"

         

        7) go on your PKI server (eg: http://myPki.lan/certsrv ) paste the request

        😎 dowload .cer and install it.

         

        test 🙂

         

         

    • BalazsBerczi's avatar
      BalazsBerczi
      Copper Contributor
      Sep 15, 2020

      HiRaymond Preston 

       

      Did you have resolve this issue?

       

      I have also an internal PKI and internal webistes. All internal sites showed UNSAFE.

       

      Do you have maybe any resolution for this?

       Thanks

      Regs

      Balazs

      • Naomarn22's avatar
        Naomarn22
        Copper Contributor
        Nov 12, 2023

        BalazsBerczi For anyone running across this I found the solution after a lot of searching and testing. You have to generate the CSR from MMC Certificates. Open advanced operations and then top section, select CN and the value of your FQDN. In the bottom section, select DNS and use FQDN again. Then just request your web server certificate how you normally do. To check open the cert and go details, scroll down and you should see Subject Alternative Names has the DNS name. Make sure you restart iis after you update it on your server.

Resources