« Back to home

Fixing IIS Express Developer SSL Certificate & Chrome 58+ [missing_subjectAltName]

Chrome has recently been updated (Version 58) to remove support for the matching of SSL certificates based on the CN when Subject Alternative Name (SAN) is not available. This is causing users to receive the following error when using Chrome and IIS Express configured with SSL.

Error

The server could not prove that it is localhost; its security certificate is from [missing_subjectAltName]. This may be caused by a misconfiguration or an attacker intercepting your connection.

The real issue

The real issue here is not with Chrome but rather with the self signed SSL Certificate that is installed as a part of IIS Express. Unfortunately this certificate contains no SAN information and Chrome is therefore refusing to use it. Repairing the IIS Express didnt work and generating a new certificate with MakeCert still didn't create a valid certificate. In the end I used a PowerShell command to generate a valid SSL certificate and it contained the required information.

Certificates

Solution

As I mentioned, my solution was to generate a new certificate but then I needed to tell Windows to use the new certificate instead of the default IIS Express Certificate. To achieve this, I used these steps.

  1. Regenerate a new certificate and keep a copy of the certificate thumbprint by running the following command from PowerShell.
    New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation "cert:\LocalMachine\My"

  2. Find the port being used by your IIS Express project by looking in the Project panel in Visual Studio. In my case it was port 44356.

    Properties

  3. Remove the previous port mapping from IIS Express by running the following command in a Command window running as Administrator.

    netsh http delete sslcert ipport=0.0.0.0:44356

  4. Bind the certificate thumbprint and your application port by running the following command in a Command window running as Administrator.

    netsh http add sslcert ipport=0.0.0.0:44356 certhash=FD2CEA29AAF201890C90F08CA7658D275EB3D01A appid={ff5740e4-a630-46d5-b8d6-0a0fb246a3fe}

    NOTE: The appid is just a guid to identify the app responsible for the mapping and a random guid can be used here.

What about MakeCert?

It turns out that MakeCert doesn't support setting the SAN information. Dont use MakeCert to try and solve this problem.

Chrome Changes

The changes by Google are documented here:
https://groups.google.com/a/chromium.org/forum/#!msg/security-dev/IGT2fLJrAeo/csf_1Rh1AwAJ
https://bugs.chromium.org/p/chromium/issues/detail?id=700595&desc=2
https://bugs.chromium.org/p/chromium/issues/detail?id=308330