How do i get Edge to trust our internal Certificate Authority

Copper Contributor

Is there any way to get edge to stop flagging our internal certs as non trusted ? Pkiview.msc shows that there are no problems with the CA windows shows the cert is trusted.


Yet edge marks it as invalid. If the cert is verified up to a trusted root CA it should be valid in edge just like it is in internet explorer.

13 Replies

@Raymond Preston 


Are you still seeing this behavior in Edge?



@v-gapart Yes, On the latest version im still having every single cert signed by our internal CA marked as invalid by edge




When i click on the button there it brings up the Windows Certificate Dialog which shows the certificate is fine 




Nothing crazy with the cert either its a Windows CA issued cert 


v3 Template
RSA 4096


Looks fine in internet explorer.

I think it would be nice to have a list of urls that can ignore the certificate trust check.

Hey Raymond,

Any chance you got a fix for this ?

Hi@Raymond Preston 


Did you have resolve this issue?


I have also an internal PKI and internal webistes. All internal sites showed UNSAFE.


Do you have maybe any resolution for this?






I had this problem a few weeks ago too. (Our internal CA was not trusted in Edge.)


I have fixed it by applying our IE-GPO (Internet Explorer settings) on the machine.

I think the problem is caused by an incomplete, incorrect or missing intranet sites list or intranet zone settings. (But I don't looked for the direct settings which was causing the problem.)


Best regards.



Can you explain how exactly?


Hi@Nawar-AlMallouhi310 .


I don't know what I should explain to you exactly.


Unfortunatly at the moment I can't reproduce the problem.

But I think the reason could be one of the following setting if it is incorrect:

- Your root ca is not installed.

- Your url is not marked as meber of the zone intranet in the zone-site-list.


Can you posted the shown security warning id (like NET::ERR_CERT_COMMON_NAME_INVALID). You have to reenable the security warning to see it.




Bump: 2021 now and still no resolution? I've recently run into this deploying an internal ERP solution's web front-end. The solution is designed only to work in Edge; but Edge won't trust our internal domain CA certs no matter what I do. I even spent the last week upgrading PKI signing hash algorithms to make sure we were within current standards (even though the offline root CA in a multi-tier infrastructure shouldn't matter). The solution won't be public facing, so purchasing a public cert seems pointless and a waste for this essentially cosmetic warning.
Looked at this every which way and while I can get Edge to give me different errors depending on how I construct the URL to request our ERP's web page the overarching end result is Edge simply doesn't seem to like internal Domain CA certs.
I've found this issue to happen if the Root Certificate or a Certificate in the Path of the WebServer Certificate has a length of less than 4096 bits as that is a requirement of Edge,

@Raymond Preston in my experience the issue was due to the certificate not containing a Subject Alternative Name.



i had the same problem with edge and chrome but not internet explorer .

here what i did to solve it :



1) On the destination server that need the certificate , launch mmc

2) add certificate => loalhost

3) Create custom Request => Proceed without enrollment policy => No template & PKCS#10


General Tab: 

4)  Frindly name : certificateWebServer

     full : Common Name( "FDQN") ,email, country, Locality,Organization, Organization unit

5) in alternatif name , chose DNS and enter the same as Common Name( "FDQN")

6) in Extension tab => Key usage :

 CRL Signing,Data enciperment,Decipher only,Digital signature, Encipher only


    in Extension tab => Extended Key usage :

server authentificcation



In private Key : 


4096 and activate "Make private key exportable"


7) go on your PKI server (eg: http://myPki.lan/certsrv ) paste the request

8) dowload .cer and install it.


test :)



@BalazsBerczi For anyone running across this I found the solution after a lot of searching and testing. You have to generate the CSR from MMC Certificates. Open advanced operations and then top section, select CN and the value of your FQDN. In the bottom section, select DNS and use FQDN again. Then just request your web server certificate how you normally do. To check open the cert and go details, scroll down and you should see Subject Alternative Names has the DNS name. Make sure you restart iis after you update it on your server.