How do i get Edge to trust our internal Certificate Authority

%3CLINGO-SUB%20id%3D%22lingo-sub-785333%22%20slang%3D%22en-US%22%3EHow%20do%20i%20get%20Edge%20to%20trust%20our%20internal%20Certificate%20Authority%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-785333%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20any%20way%20to%20get%20edge%20to%20stop%20flagging%20our%20internal%20certs%20as%20non%20trusted%20%3F%20Pkiview.msc%20shows%20that%20there%20are%20no%20problems%20with%20the%20CA%20windows%20shows%20the%20cert%20is%20trusted.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYet%20edge%20marks%20it%20as%20invalid.%20If%20the%20cert%20is%20verified%20up%20to%20a%20trusted%20root%20CA%20it%20should%20be%20valid%20in%20edge%20just%20like%20it%20is%20in%20internet%20explorer.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-827838%22%20slang%3D%22en-US%22%3ERe%3A%20How%20do%20i%20get%20Edge%20to%20trust%20our%20internal%20Certificate%20Authority%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-827838%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F95142%22%20target%3D%22_blank%22%3E%40Raymond%20Preston%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAre%20you%20still%20seeing%20this%20behavior%20in%20Edge%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EGabriel%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-827884%22%20slang%3D%22en-US%22%3ERe%3A%20How%20do%20i%20get%20Edge%20to%20trust%20our%20internal%20Certificate%20Authority%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-827884%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F299596%22%20target%3D%22_blank%22%3E%40v-gapart%3C%2FA%3E%26nbsp%3BYes%2C%20On%20the%20latest%20version%20im%20still%20having%20every%20single%20cert%20signed%20by%20our%20internal%20CA%20marked%20as%20invalid%20by%20edge%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20285px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F128988i572ECEDAEF15A301%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Edge.png%22%20title%3D%22Edge.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20i%20click%20on%20the%20button%20there%20it%20brings%20up%20the%20Windows%20Certificate%20Dialog%20which%20shows%20the%20certificate%20is%20fine%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20159px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F128990iCE1E2EBF51D6C9FC%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Edge2.png%22%20title%3D%22Edge2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENothing%20crazy%20with%20the%20cert%20either%20its%20a%20Windows%20CA%20issued%20cert%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ev3%20Template%3CBR%20%2F%3Esha512RSA%3CBR%20%2F%3Esha512%3CBR%20%2F%3ERSA%204096%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELooks%20fine%20in%20internet%20explorer.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-891969%22%20slang%3D%22en-US%22%3ERe%3A%20How%20do%20i%20get%20Edge%20to%20trust%20our%20internal%20Certificate%20Authority%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-891969%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%20it%20would%20be%20nice%20to%20have%20a%20list%20of%20urls%20that%20can%20ignore%20the%20certificate%20trust%20check.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1646304%22%20slang%3D%22en-US%22%3ERe%3A%20How%20do%20i%20get%20Edge%20to%20trust%20our%20internal%20Certificate%20Authority%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1646304%22%20slang%3D%22en-US%22%3EHey%20Raymond%2C%3CBR%20%2F%3E%3CBR%20%2F%3EAny%20chance%20you%20got%20a%20fix%20for%20this%20%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1668924%22%20slang%3D%22en-US%22%3ERe%3A%20How%20do%20i%20get%20Edge%20to%20trust%20our%20internal%20Certificate%20Authority%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1668924%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F136270%22%20target%3D%22_blank%22%3E%40Raymond%20Preston%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20have%20resolve%20this%20issue%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20also%20an%20internal%20PKI%20and%20internal%20webistes.%20All%20internal%20sites%20showed%20UNSAFE.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20have%20maybe%20any%20resolution%20for%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3BThanks%3C%2FP%3E%3CP%3ERegs%3C%2FP%3E%3CP%3EBalazs%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1669588%22%20slang%3D%22en-US%22%3ERe%3A%20How%20do%20i%20get%20Edge%20to%20trust%20our%20internal%20Certificate%20Authority%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1669588%22%20slang%3D%22en-US%22%3E%3CP%3EHi.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20had%20this%20problem%20a%20few%20weeks%20ago%20too.%20(Our%20internal%20CA%20was%20not%20trusted%20in%20Edge.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20fixed%20it%20by%20applying%20our%20IE-GPO%20(Internet%20Explorer%20settings)%20on%20the%20machine.%3C%2FP%3E%3CP%3EI%20think%20the%20problem%20is%20caused%20by%20an%20incomplete%2C%20incorrect%20or%20missing%20intranet%20sites%20list%20or%20intranet%20zone%20settings.%20(But%20I%20don't%20looked%20for%20the%20direct%20settings%20which%20was%20causing%20the%20problem.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards.%3C%2FP%3E%3CP%3Ehtcfreek%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1669627%22%20slang%3D%22en-US%22%3ERe%3A%20How%20do%20i%20get%20Edge%20to%20trust%20our%20internal%20Certificate%20Authority%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1669627%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3ECan%20you%20explain%20how%20exactly%3F%3CBR%20%2F%3E%3CBR%20%2F%3ERegards%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1672994%22%20slang%3D%22en-US%22%3ERe%3A%20How%20do%20i%20get%20Edge%20to%20trust%20our%20internal%20Certificate%20Authority%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1672994%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F794526%22%20target%3D%22_blank%22%3E%40Nawar-AlMallouhi310%3C%2FA%3E%20.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20know%20what%20I%20should%20explain%20to%20you%20exactly.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnfortunatly%20at%20the%20moment%20I%20can't%20reproduce%20the%20problem.%3C%2FP%3E%3CP%3EBut%20I%20think%20the%20reason%20could%20be%20one%20of%20the%20following%20setting%20if%20it%20is%20incorrect%3A%3C%2FP%3E%3CP%3E-%20Your%20root%20ca%20is%20not%20installed.%3C%2FP%3E%3CP%3E-%20Your%20url%20is%20not%20marked%20as%20meber%20of%20the%20zone%20intranet%20in%20the%20zone-site-list.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20posted%20the%20shown%20security%20warning%20id%20(like%20NET%3A%3AERR_CERT_COMMON_NAME_INVALID).%20You%20have%20to%20reenable%20the%20security%20warning%20to%20see%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2164088%22%20slang%3D%22en-US%22%3ERe%3A%20How%20do%20i%20get%20Edge%20to%20trust%20our%20internal%20Certificate%20Authority%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2164088%22%20slang%3D%22en-US%22%3EBump%3A%202021%20now%20and%20still%20no%20resolution%3F%20I've%20recently%20run%20into%20this%20deploying%20an%20internal%20ERP%20solution's%20web%20front-end.%20The%20solution%20is%20designed%20only%20to%20work%20in%20Edge%3B%20but%20Edge%20won't%20trust%20our%20internal%20domain%20CA%20certs%20no%20matter%20what%20I%20do.%20I%20even%20spent%20the%20last%20week%20upgrading%20PKI%20signing%20hash%20algorithms%20to%20make%20sure%20we%20were%20within%20current%20standards%20(even%20though%20the%20offline%20root%20CA%20in%20a%20multi-tier%20infrastructure%20shouldn't%20matter).%20The%20solution%20won't%20be%20public%20facing%2C%20so%20purchasing%20a%20public%20cert%20seems%20pointless%20and%20a%20waste%20for%20this%20essentially%20cosmetic%20warning.%3CBR%20%2F%3ELooked%20at%20this%20every%20which%20way%20and%20while%20I%20can%20get%20Edge%20to%20give%20me%20different%20errors%20depending%20on%20how%20I%20construct%20the%20URL%20to%20request%20our%20ERP's%20web%20page%20the%20overarching%20end%20result%20is%20Edge%20simply%20doesn't%20seem%20to%20like%20internal%20Domain%20CA%20certs.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2270161%22%20slang%3D%22de-DE%22%3ERe%3A%20How%20do%20i%20get%20Edge%20to%20trust%20our%20internal%20Certificate%20Authority%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2270161%22%20slang%3D%22de-DE%22%3EI%26amp%3Bapos%3Bve%20found%20this%20issue%20to%20happen%20if%20the%20Root%20Certificate%20or%20a%20Certificate%20in%20the%20Path%20of%20the%20WebServer%20Certificate%20has%20a%20length%20of%20less%20than%204096%20bits%20as%20that%20is%20a%20requirement%20of%20Edge%2C%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdatabox-online%2Fazure-stack-edge-gpu-certificate-requirements%23certificate-algorithms%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdatabox-online%2Fazure-stack-edge-gpu-certificate-requirements%23certificate-algorithms%3C%2FA%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
New Contributor

Is there any way to get edge to stop flagging our internal certs as non trusted ? Pkiview.msc shows that there are no problems with the CA windows shows the cert is trusted.

 

Yet edge marks it as invalid. If the cert is verified up to a trusted root CA it should be valid in edge just like it is in internet explorer.

10 Replies

@Raymond Preston 

 

Are you still seeing this behavior in Edge?

 

Gabriel

@v-gapart Yes, On the latest version im still having every single cert signed by our internal CA marked as invalid by edge

 

Edge.png

 

When i click on the button there it brings up the Windows Certificate Dialog which shows the certificate is fine 

 

Edge2.png

 

Nothing crazy with the cert either its a Windows CA issued cert 

 

v3 Template
sha512RSA
sha512
RSA 4096

 

Looks fine in internet explorer.

I think it would be nice to have a list of urls that can ignore the certificate trust check.

Hey Raymond,

Any chance you got a fix for this ?

Hi@Raymond Preston 

 

Did you have resolve this issue?

 

I have also an internal PKI and internal webistes. All internal sites showed UNSAFE.

 

Do you have maybe any resolution for this?

 Thanks

Regs

Balazs

Hi.

 

I had this problem a few weeks ago too. (Our internal CA was not trusted in Edge.)

 

I have fixed it by applying our IE-GPO (Internet Explorer settings) on the machine.

I think the problem is caused by an incomplete, incorrect or missing intranet sites list or intranet zone settings. (But I don't looked for the direct settings which was causing the problem.)

 

Best regards.

htcfreek

Hi,

Can you explain how exactly?

Regards

Hi@Nawar-AlMallouhi310 .

 

I don't know what I should explain to you exactly.

 

Unfortunatly at the moment I can't reproduce the problem.

But I think the reason could be one of the following setting if it is incorrect:

- Your root ca is not installed.

- Your url is not marked as meber of the zone intranet in the zone-site-list.

 

Can you posted the shown security warning id (like NET::ERR_CERT_COMMON_NAME_INVALID). You have to reenable the security warning to see it.

 

Regards.

 

Bump: 2021 now and still no resolution? I've recently run into this deploying an internal ERP solution's web front-end. The solution is designed only to work in Edge; but Edge won't trust our internal domain CA certs no matter what I do. I even spent the last week upgrading PKI signing hash algorithms to make sure we were within current standards (even though the offline root CA in a multi-tier infrastructure shouldn't matter). The solution won't be public facing, so purchasing a public cert seems pointless and a waste for this essentially cosmetic warning.
Looked at this every which way and while I can get Edge to give me different errors depending on how I construct the URL to request our ERP's web page the overarching end result is Edge simply doesn't seem to like internal Domain CA certs.
I've found this issue to happen if the Root Certificate or a Certificate in the Path of the WebServer Certificate has a length of less than 4096 bits as that is a requirement of Edge,

https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-gpu-certificate-requirements#...