How do i get Edge to trust our internal Certificate Authority

Copper Contributor

Is there any way to get edge to stop flagging our internal certs as non trusted ? Pkiview.msc shows that there are no problems with the CA windows shows the cert is trusted.

 

Yet edge marks it as invalid. If the cert is verified up to a trusted root CA it should be valid in edge just like it is in internet explorer.

13 Replies

@Raymond Preston 

 

Are you still seeing this behavior in Edge?

 

Gabriel

@v-gapart Yes, On the latest version im still having every single cert signed by our internal CA marked as invalid by edge

 

Edge.png

 

When i click on the button there it brings up the Windows Certificate Dialog which shows the certificate is fine 

 

Edge2.png

 

Nothing crazy with the cert either its a Windows CA issued cert 

 

v3 Template
sha512RSA
sha512
RSA 4096

 

Looks fine in internet explorer.

I think it would be nice to have a list of urls that can ignore the certificate trust check.

Hey Raymond,

Any chance you got a fix for this ?

Hi@Raymond Preston 

 

Did you have resolve this issue?

 

I have also an internal PKI and internal webistes. All internal sites showed UNSAFE.

 

Do you have maybe any resolution for this?

 Thanks

Regs

Balazs

Hi.

 

I had this problem a few weeks ago too. (Our internal CA was not trusted in Edge.)

 

I have fixed it by applying our IE-GPO (Internet Explorer settings) on the machine.

I think the problem is caused by an incomplete, incorrect or missing intranet sites list or intranet zone settings. (But I don't looked for the direct settings which was causing the problem.)

 

Best regards.

htcfreek

Hi,

Can you explain how exactly?

Regards

Hi@Nawar-AlMallouhi310 .

 

I don't know what I should explain to you exactly.

 

Unfortunatly at the moment I can't reproduce the problem.

But I think the reason could be one of the following setting if it is incorrect:

- Your root ca is not installed.

- Your url is not marked as meber of the zone intranet in the zone-site-list.

 

Can you posted the shown security warning id (like NET::ERR_CERT_COMMON_NAME_INVALID). You have to reenable the security warning to see it.

 

Regards.

 

Bump: 2021 now and still no resolution? I've recently run into this deploying an internal ERP solution's web front-end. The solution is designed only to work in Edge; but Edge won't trust our internal domain CA certs no matter what I do. I even spent the last week upgrading PKI signing hash algorithms to make sure we were within current standards (even though the offline root CA in a multi-tier infrastructure shouldn't matter). The solution won't be public facing, so purchasing a public cert seems pointless and a waste for this essentially cosmetic warning.
Looked at this every which way and while I can get Edge to give me different errors depending on how I construct the URL to request our ERP's web page the overarching end result is Edge simply doesn't seem to like internal Domain CA certs.
I've found this issue to happen if the Root Certificate or a Certificate in the Path of the WebServer Certificate has a length of less than 4096 bits as that is a requirement of Edge,

https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-gpu-certificate-requirements#...

@Raymond Preston in my experience the issue was due to the certificate not containing a Subject Alternative Name.

DNS=MS02-2022.contoso-2022.com

@BlakeDrumm 

 

i had the same problem with edge and chrome but not internet explorer .

here what i did to solve it :

 

 

1) On the destination server that need the certificate , launch mmc

2) add certificate => loalhost

3) Create custom Request => Proceed without enrollment policy => No template & PKCS#10

 

General Tab: 

4)  Frindly name : certificateWebServer

     full : Common Name( "FDQN") ,email, country, Locality,Organization, Organization unit

5) in alternatif name , chose DNS and enter the same as Common Name( "FDQN")

6) in Extension tab => Key usage :

 CRL Signing,Data enciperment,Decipher only,Digital signature, Encipher only

 

    in Extension tab => Extended Key usage :

server authentificcation

clientauthentificcation

 

In private Key : 

 

4096 and activate "Make private key exportable"

 

7) go on your PKI server (eg: http://myPki.lan/certsrv ) paste the request

8) dowload .cer and install it.

 

test :)

 

 

@BalazsBerczi For anyone running across this I found the solution after a lot of searching and testing. You have to generate the CSR from MMC Certificates. Open advanced operations and then top section, select CN and the value of your FQDN. In the bottom section, select DNS and use FQDN again. Then just request your web server certificate how you normally do. To check open the cert and go details, scroll down and you should see Subject Alternative Names has the DNS name. Make sure you restart iis after you update it on your server.