Windows Self Signed Certificate in Trusted Root not valid in Chrome 106 - google-chrome

I'm using powershell New-SelfSignedCertificate to create a certificate and import into trusted root for a .netcore project.
It has been working fine, but has recently stopped, certificate doesn't expire until 2024.
I'm on Chrome 106.
Any ideas on why it would stop and how to fix?

Yes, Chrome has introduced its own certificate root store. They say this happened back in Chrome 105 but we've only started experiencing problems since Chrome 106 on enterprise environment.
On Windows you may disable this new feature via registry:
Create a REG_DWORD value ChromeRootStoreEnabled = 0 at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome
Restart Chrome
Taken from chromeenterprise. But don't forget that disabling this feature without understanding what you do may be a security risk - not a big one in this case but anyway.
The docs actually state that the new root store takes locally trusted certificates into account:
The Chrome Certificate Verifier considers locally-managed certificates during the certificate verification process. This means if an enterprise distributes a root CA certificate as trusted to its users (for example, by a Windows Group Policy Object), it will be considered trusted in Chrome.
We use our own CA to sign test websites HTTPS certificates on enterprise environment. So we seemingly must not have been affected. But even though everyone on the dev team has our CA installed in trusted root - we still face this issue. I'm not sure whether it's a bug or there is something else we need to know about which CAs are accepted and which are not.
Update 2022-10-24
I found out that there is another local enterprise CA apart from out team's one. Сertificates issued by that CA are accepted by Chrome without disabling the new root store - so Chrome obviously does not ignore locally trusted certificates.
After some trial-and-error I've figured out that the problem was not about the CA certs - but about the endpoint CA-signed certificates. The old now-rejected test certificate contains these properties:
Basic Constraints: subject = not a CA, path length = 0
Key Usage: Digital Signature, Key Encipherment
Extended Key Usage: TLS Server, TLS Client + 9 internal custom OIDs
Subject Alternative Name: localhost + around 30 test websites DNS names in various domains
Removing the Basic Constraints property made Chrome finally accept the cert.
So there have been more changes to certificate validation procedure apart from the new root store. By far I haven't found any documentation about what exactly they've also changed. And AFAIK Basic Constraints is an absolutely fine property to have even in a non-CA certificate, so it looks like a bug in Chrome to me.

Related

JMeter recording issues with Chrome

I'am facing recording issues in JMeter version 5.0 while using it with Chrome browser - Version 72.0.3626.96 (Official Build) (64-bit).
I have installed JMeter Root CA certificate in my local drive, Also imported that certificate in chrome browser. Still I can't record any request, Which version of chrome is suggestable for recording purpose in JMeter 5.0?
Any version of Chrome should fit, just make sure to install JMeter's self-signed certificate to Trusted Root Certification Authorities
Also be aware that JMeter's certificates have limited time frame (7 days by default) so double check that the certificate isn't expired.
If you conducted above steps and still cannot record - try clearing your browsing history (delete everything from the beginning of the time) and re-install the certificate.
Going forward I would recommend using a browser which has separate proxy/certificates configuration like Mozilla Firefox which doesn't rely on operating system certificates and proxy settings.
Also you can consider using JMeter Chrome Extension, in this case you won't have to worry about proxies and SSL certificates.
Apart from the adding the certificate Trusted Root Certification Authorities also ensure the following
There is no multiple entries of the JMETER certificated under Trusted Root Certification Authorities. If so delete all entries and add the new certificate fresh.
Ensure that the expiry date of the certificate is a future date. Normally it is auto generated and will be valid for next 7 days in each cycles. But, just ensure the same.
Even then, if the requests are not getting recorded, Clear the browser cache and check again. Or even better take the session in incognito mode.

How to get Windows 10 Chrome to accept the self signed certificate generated by CUPS admin on Linux

I have a ClearOs Linux server which, amongst other things, runs a CUPS print server. Installing CUPS makes an admin interface available via https protocol.
Every time I connect to this admin server, Chrome (and IE) warns me the certificate is invalid, and I have to click twice more to go through to the site.
I would like to tell Chrome to trust this certificate. I have Googled how to do this, and tried 3 or 4 different recipes - none of them seem to have worked (the certificate is still not trusted). I have tried the following:
Connect to the site via IE running as Administrator, click on the invalid certificate flash next to the url, view certificate, install certificate, choose Trusted Root Certificate store, and install it. I also tried the Personal store and the Trusted publishers store.
Connect to the site via Chrome, click on the certificate and export it, do Settings/Advanced/Manage certificates, and import it into the store (again, I tried Trusted Root and Personal stores).
I also tried some other instructions which said to start by running "MMC" from the Windows Start button - but typing MMC only offers me Hyper-V manager and Sql Server 2017 Configuration Manager - not the management console expected.
I have read Getting Chrome to accept self-signed localhost certificate here, and tried everything there that applies to Windows 10, but nothing works.
Enter “chrome://flags/#allow-insecure-localhost” in your chrome browser and “Allow invalid certificates for resources loaded from localhost.” to bypass the security warning about your self signed certificate.

How do I change my IIS Express SSL certificate for one that will work with Chrome 58+?

Chrome 58+ drops support for CN in SSL certs, which means (at least on my machine) that browsing sites hosted in IIS Express throw constant security warnings.
How do I change my IIS Express SSL certificate for one that will work with Chrom 58+?
This is how I fixed this. There may be an easier way (I'm sure there is!)
Step 1 - Open Windows PowerShell (in admin mode) and generate a certificate like this:
New-SelfSignedCertificate -DnsName "localhost", "localhost" -CertStoreLocation "cert:\LocalMachine\My"
Keep the thumbprint safe.
Step 2 - Open a command prompt (in admin mode) and run these commands.
The first will delete the current IIS Express certificate for ports 44300-44399.
for /L %i in (44300,1,44399) do netsh http delete sslcert ipport=0.0.0.0:%i
The next will add your new certificate to those ports. Change the thumbprint obviously.
for /L %i in (44300,1,44399) do netsh http add sslcert ipport=0.0.0.0:%i certhash=33459ADA4D5329673604F43A073B7F43084818A7 appid={214124cd-d05b-4309-9af9-9caa44b2b74a}
The appid is for IIS Express 10 I believe. You may want to check your IIS Express appid is the same as mine first. To do that do this:
netsh http show sslcert
Step 3 - Restart IIS Express and Chrome, then run up one of your sites in Chrome.
It'll give you the security warning again. Proceed to the page then go into settings > advanced settings, HTTPS/SSL Manage certificates.
In here, export the certificate from Personal and import the certificate to Trusted Root Certificate Authorities (I did it as .p7b) then restart Chrome.
Try the site again - you should be secure now.
You can do all this outside of Chrome in certmgr as well.
Edit: Alternate steps for Step 3 above using certmgr:
Hit win key and type "certmgr" to open the Windows cert manager.
Expand Certificates - Local Computer > Personal > Certificates and find the cert you just created (it should be issued to localhost and have an expiration one year from the current date).
Select the cert and ctrl-c to copy.
Expand Certificates - Local Computer > Trusted Root Certification Authorities > Certificates and ctrl-v to paste.
The answer Chris gave solves the issue, thanks! Because my whole team had this issue, I created a little Powershell script to run the steps in Chris' answer.
https://gist.github.com/camieleggermont/5b2971a96e80a658863106b21c479988
Running this in elevated mode did the trick for me.
I am just using this setting until it is fixed in Visual Studio:
chrome://flags/#allow-insecure-localhost
It just prevents having to allow the security exception each time but it will still show the SSL as invalid (red) in your browser bar.
The solution provided by Chris does do the trick (thanks!), but ultimately this should be fixed by the visual studio team. You can vote here in order to bring this issue to their attention:
https://developercommunity.visualstudio.com/content/problem/48596/visual-studio-2017-151-264037-crashing-during-code.html
A more visual way to fix it is to use Jexus Manager to,
Generate a new certificate.
Let Windows (and Chrome) trust it.
Bind it to the site.
I documented the exact steps in a blog post.

How resolve certificate SHA-1 (chrome)

How resolve this problem in google chrome for my site:
The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1.
in Internet Explorer functions normally.
You resolve the problem by getting a new certificate that uses SHA2. The SHA1 algorithm has been proven to have collisions, which means someone could make up a fake certificate and impersonate your site.
Chrome on purpose warns and does not accept those certificates anymore.
Typically, if you revoke and re-issue a certificate with your CA, you will get credit for the remaining time of your existing certificate.
The problem is not with Chrome, but with your certificate being considered 'unsafe' and Chrome taking a hard stance to make sure things are actually secure.

Windows Phone 8 and HTTPS/SSL

I need to connect to a web service via HTTPS in my windows phone 8.0 app. It seems that there is no client SSL support from Microsoft about this issue.
I really need to know how to deal with certificates in WP8. What is the correct certificate? Which certificates need to be imported?
Scenario: I have a https endpoint: https://10.1.1.2 and when I connect there from my PC I am being prompted to view and install the certificate of the server. The certificate name "The Root CA" is being saved locally. The same certificate is installed in the mobile device w/o problems. When I open the https://10.1.1.2 from the mobile internet explorer it informs me that the web page is secure and I have to choose between close and continue the page. I am clicking continue and the https://10.1.1.2 transaction takes place. Every time I go to the same URL via the mobile internet explorer there is no warning to the end user regarding security.
According to Microsoft: In most cases, you do not have to do anything
to enable this for your Windows Phone app with the exception of using
an address that begins with the https:// protocol scheme. Windows
Phone then examines the certificate that is returned by the web
service, and if the certificate is from one of the trusted authorities
listed in SSL root certificates for Windows Phone OS 7.1, the Windows
Phone app platform then uses the certificate in conjunction with the
web service to encrypt all further communication, including the
exchange of the authentication credentials as described previously.
Although you can install trusted certificates on the Windows Phone, in
the current release, the Windows Phone app platform does not expose
those certificates’ values to apps. As a result, in the current
release, you cannot implement mutual authentication scenarios –
scenarios in which the client sends its own certificates to the web
service in addition to receiving one -- using certificates installed
in the root store.
So, is this procedure OK? I cannot use one of the certificate authorities that Microsoft
trusts by default. Do I need code?
Self signed certificate cannot be used and it does not automatically fetch data without intervention.
First of all, when testing your SSL connection through mobile IE, it appears from my testing that by pressing continue you are adding an exception to IE, not installing any certificates or getting the exception to apply phone-wide.
Secondly, using self-signed certificates on WP8 appears to be severely limited by the fact that any cert chain that does not use a built-in root CA will generate a failed certificate validation in your code. See the MSDN blog entry at http://blogs.msdn.com/b/davidhardin/archive/2010/12/30/wp7-and-self-signed-ssl-certificates.aspx
Where he states "You can implement your own certificate authority using Microsoft Certificate Services but you’ll still need a certificate from one of the phone’s certificate authorities to chain your certificate authority to."
The only "solution" I've seen posted is to effectively ignore all certificate warnings - which is no solution at all.