@v-gapart Yes, On the latest version im still having every single cert signed by our internal CA marked as invalid by edge

When i click on the button there it brings up the Windows Certificate Dialog which shows the certificate is fine 

Nothing crazy with the cert either its a Windows CA issued cert 

v3 Template
sha512RSA
sha512
RSA 4096

Looks fine in internet explorer.

Hi@Raymond Preston 

Did you have resolve this issue?

I have also an internal PKI and internal webistes. All internal sites showed UNSAFE.

Do you have maybe any resolution for this?

 Thanks

Regs

Balazs

Hi.

I had this problem a few weeks ago too. (Our internal CA was not trusted in Edge.)

I have fixed it by applying our IE-GPO (Internet Explorer settings) on the machine.

I think the problem is caused by an incomplete, incorrect or missing intranet sites list or intranet zone settings. (But I don't looked for the direct settings which was causing the problem.)

Best regards.

htcfreek

Hi@Nawar-AlMallouhi310 .

I don't know what I should explain to you exactly.

Unfortunatly at the moment I can't reproduce the problem.

But I think the reason could be one of the following setting if it is incorrect:

- Your root ca is not installed.

- Your url is not marked as meber of the zone intranet in the zone-site-list.

Can you posted the shown security warning id (like NET::ERR_CERT_COMMON_NAME_INVALID). You have to reenable the security warning to see it.

Regards.

@Raymond Preston in my experience the issue was due to the certificate not containing a Subject Alternative Name.

DNS=MS02-2022.contoso-2022.com

@BlakeDrumm 

i had the same problem with edge and chrome but not internet explorer .

here what i did to solve it :

1) On the destination server that need the certificate , launch mmc

2) add certificate => loalhost

3) Create custom Request => Proceed without enrollment policy => No template & PKCS#10

General Tab: 

4)  Frindly name : certificateWebServer

     full : Common Name( "FDQN") ,email, country, Locality,Organization, Organization unit

5) in alternatif name , chose DNS and enter the same as Common Name( "FDQN")

6) in Extension tab => Key usage :

 CRL Signing,Data enciperment,Decipher only,Digital signature, Encipher only

    in Extension tab => Extended Key usage :

server authentificcation

clientauthentificcation

In private Key : 

4096 and activate "Make private key exportable"

7) go on your PKI server (eg: http://myPki.lan/certsrv ) paste the request

8) dowload .cer and install it.

test :)