Mismatched Address certificate error - HTTPS localhost IIS
In this post, I describe how to use HTTPS with SSL on a local IIS development environment without the Mismatched Address certificate error:
Cause
This error can occur when you use Create Self-Signed Certificate in IIS. The error says "Mismatched Address" and that the server cannot prove that it is its name.
Resolution
To resolve the issue, you can use the PowerShell cmdlet New-SelfSignedCertificate to create the certificates.
The following PowerShell code will create the root certificate, then create the SSL certificate signed by the root certificate, then import the root certificate into the Trusted Root Certification Authorities store:
$thumb = (New-SelfSignedCertificate
-Type "Custom" -KeyExportPolicy "Exportable" -Subject "ROOT"
-CertStoreLocation "Cert:\LocalMachine\My" -KeySpec "Signature" -KeyUsage "CertSign"
-NotAfter(Get-Date).AddDays(10000)).Thumbprint
# Create the SSL
certificate using the thumbprint of the root certificate
New-SelfSignedCertificate
-type "Custom" -KeyExportPolicy "Exportable" -Subject "CN=localhost"
-DnsName "localhost" -CertStoreLocation "Cert:\LocalMachine\My" -KeySpec "KeyExchange" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") -Signer
"Cert:LocalMachine\My\$thumb" -Provider "Microsoft Enhanced RSA and AES
Cryptographic Provider" -NotAfter (Get-Date).AddDays(10000)
# You can't
create the root certificate directly in the Trusted Root Certification
Authorities store, so export it to a file
Export-Certificate -Cert "cert:\localmachine\my\$thumb" -FilePath c:\localhost.cer
# Then import it
into the Trusted Root Certification Authorities store
Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root\ -FilePath c:\localhost.cer
Once created, you can then use the SSL certificate in your https binding in IIS:
Note: You will still get a "ERR_CERT_WEAK_SIGNATURE_ALGORITHM" error in Chrome.
Related Posts
- The hostname in the website’s security certificate differs from the website you are trying to visit.
- How to create a self-signed public certificate - Powershell
Greetings! Your script wrked successfully but unfortunately with no result..
ReplyDeleteAre there any other steps we need to do? Do You use IE to import this certificate to trusted store?
Hi Rockie, thanks for your comment. Did you select the SSL certificate in the https binding in IIS?
DeleteOk, thank You much Howard for the PS script!
ReplyDelete- uploaded Your certificate to "Security"-> "Manage trust" in CA
- used this video (on 7-th minute https://youtu.be/zB4fYkfWcAw?t=423 ) ti add this certificate to Trusted Root Cert. Authorities in Group Policies
- restarted WFE
Now it works for old IE but edge and chrome still give error NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM (Yes You are right)
Don't Tyou have idea how to avoid this warning? In old videos there was no such error but looks like browsers have strengthened security..
Best regards, Gennady
No problem, happy to help. I didn't investigate any further as I didn't need to remove the error in Chrome or Edge. Please do comment again if you find a way to remove the error in modern browsers!
DeleteHi Howard!
DeleteNot 100% sure but looks like this method worked for me (for Chrome and Edge):
https://stackoverflow.com/a/15076602/348736
The error disappeared but now it started to ask credentials for every new session :)
In a nutshell they export existing certificate in P7b format, and then import it again and restart Chrome..
Thank You again for sharing script (I changed 'localhost' to my portal name everywhere).
Best regards, Gennady
Hi Gennady,
DeleteThanks for the link and information.
Regards,
Howard
I've created a follow up post describing how to create a self-signed certificate that does not cause the error NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM
Deletehttps://howardsimpson.blogspot.com/2023/10/err-cert-weak-signature-algorithm-iis-self-signed-ssl-certificate.html
Hi Howard!
DeleteThank You!) I added Your link to notes
Best regards, Gennady