IE8 Will Not Install SSL Certificate - internet-explorer-8

I have my own SSL for development purposes. Normally when IE would give you the WARNING you could simply install the certificate, resart IE and go back to the server without warning. In IE8 I cannot avoid the warning. I have installed the certificate into every single store without success using both the MMC and cert manager in IE8. WHAT AM I MISSING?!

Add the site to trusted sites. Then you will have the option to install the certificate after clicking the Certificate error box and then View Certificate.

Which certificate are you trying to install?
You must install the ROOT certificate, not the END-ENTITY certificate which is signed by that self-signed root. It should go in the Trusted Root Certification authorities store.

Make sure your cert's CommonName matches the domain name. For example, if you website will be accessed at 'https://www.example.com', CommonName should be 'www.example.com'. If this doesn't match, nothing you do in the second and third step will matter.
Run IE8 in administrator mode and navigate to your HTTPS URL. Continue beyond warning, then view the site's cert to access the 'Install Certificate' button.
Add the cert to Trusted Root CA Certificates.
Restart IE8 in protected mode then navigate to your HTTPS URL again. All warnings should be gone.

I could not install the certificate from IE. I had to finally use MMC (Management Console). Instructions here: http://technet.microsoft.com/en-us/library/cc757688(v=ws.10).aspx

Related

Problem with Jmeter certificate to record a test

I'm trying to record a test, but when I install my certificate by Jmeter in the chrome, when I access the site that I want to record, chrome return me this:
But my certificate that I installed before access the site is 100% valid:
Other points:
I already made the Jmeter HTTPS proxy route configuration;
I already made the Windows/Browser proxy route configuration;
I installed the certificate correctly.
I don't know why my browser is not looking for the valid certificate and even without any certificate installed, still looks to this invalid certificate
If this is blocking you please install the certificate on Firefox and proceed with recording after setting the proxy.
Open Firefox
Type about:prefrences in the address bar
Search for certificates in search box
Click on View Certificate button
Select Authorities tab
Click on Import button
Select the certificate from your JMeter/bin folder
Check the first option in the popup (Trust CA to identify the websites)
Click OK
Chrome warns you because JMeter's certificate is self-signed and it cannot be validated against trusted CA
The options are in:
Ignore this error, the options are in:
Click "Proceed to unsafe" (if it's available)
Launch Chrome with --ignore-certificate-errors command-line argument:
type badidea anywhere at the page
Add JMeter's self-signed certificate to Windows Trusted Root Certification Authorities:
Mac OSX instructions for this were nowhere to be found.
On a Mac, just import "the root cert" from the Jmeter bin directory and into your "Keychain Access" tool. If you have to, you can use a tool called "Keystore Explorer" to convert the .crt file to a .cer before you do that import.
Then, you have to mark the cert trusted like this:

Create self signed certificate for testing localhost and have it accepted by the browsers

I've been trying for weeks now to get this self signed certificate working in several browsers (Chrome, Firefox, Edge, IE).
I managed to create the certificate and install it as a trusted root certificate but in every browser I have to bypass the security to be able to have the test environment (website with xampp).
Today I have focused on Edge and IE (without success), and since the procedure for chrome is slightly different, I will try to make it work in chrome tomorrow.
I tried both to create a new one, and to duplicate an old (working) one, this way:
To create a new certificate, open powershell as admin, then :
New-SelfSignedCertificate -DnsName "127.0.0.1", "localhost" -CertStoreLocation "cert:\LocalMachine\My"
exported as mentioned in this description.
To clone, I used the example in this documentation.
Then I imported the certificates in the 'trusted root certificate' using certlm.msc.
But I got the error codes DLG_FLAGS_INVALID_CA and
DLG_FLAGS_SEC_CERT_CN_INVALID in Edge and IE.
Does someone know a procedure to make this work?
I've been looking al over the net without finding one.
I was trying to do a similar thing and did get the following to work:
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname localhost -FriendlyName "Dev localhost" -NotAfter (Get-Date).AddMonths(240) -TextExtension #("2.5.29.37={text}1.3.6.1.5.5.7.3.1")
The 'NotAfter' param extends the cert to 20 years.
The 'TextExtension' param configures the cert for 'Server Authentication' only. Without this, it defaults to Client Auth + Server Auth. I haven't researched, but the Client Auth seems to cause an issue (which is odd since most online examples don't mention it; I only found one that did).
This will create the cert in both the LocalComputer\Personal & LocalComputer\Intermediate Certification Authority. It also allows you to select the cert in IIS.
In order to actually run the site, the cert needs to get into the Trusted Root Certification Authority. To accomplish this, you can either export/import the cert or nav to the site in IE, click on the red security area and work your way thru the screens to import the cert. The link above shows the import/export approach.
Final notes:
I had to close/re-open IE (11.726.15063) to get the security prompt to go away despite IE telling me that the cert was installed.
My site was working fine in chrome (62) after the security warning cleared in IE.
I was using localhost and a non-standard port for my site, not a DNS name. Everything seemed fine.
HTH

Firefox: certificate is not trusted because the issuer certificate is unknown

I'm working in a lab environment. I have a Windows-based CA and an SSL-secured website on IIS (on the same machine) with a cert issues from that CA.
When I browse to this site in Firefox using SSL, I get an error "The certificate is not trusted because the issuer certificate is unknown."
If I go to Tools -> Options -> Advanced -> Certificates -> View Certificates -> Authorities, my CA's cert is in the list. If I double-click that certificate, I get "Could not verify this certificate because the issuer is unknown."
Isn't the whole point of adding a CA's cert into the Authorities list to tell Firefox, "Hey... you know this CA, go ahead and trust the certs that it issues?"
How do I fix this problem?
Firefox is (most in his Desktop versions) very special in checking certificates. Where Google Chrome meets the root certificate, Firefox needs the FULL chain up to the root certificate in your crt file. And don't forget to prefix https:// to request!

Import self signed ssl certificate .pem to firefox

I added self signed certificate in .pem format in Firefox under Authorities tab. When I access site, Firefox throws error
mozilla_pkix_error_ca_cert_used_as_end_entity
It says that the certificate is not trusted because it is self signed. What can be issue?
If you add the certificate as authority then it should be used as authority, i.e. for signing other certificates. If you instead use it as a server certificate (i.e. as end entity and not authority) then it should not be added as authority to firefox but instead as server certificate. This will be automatically done if the certificate is not known and you click through the certificate error messages when connecting to your site and accept the sites certificate permanently.
You should also make sure that your certificates contains the necessary key purpose to be used as a server certificate.

Changing Fiddler root certificate to successfully decrypt HTTPS

Is there a way to change the Fiddler's root certificate. I want it for a scenario when the client app uses certificate pinning and I have access to the keystore, whose certificate is being trusted by the client app.
I think you're asking "Can I change the certificate Fiddler uses for a particular site" rather than the root certificate, which is used for all sites.
Yes, if you really do have the private key for the certificate, you can configure Fiddler to use it. Inside Fiddler's Rules > Customize Rules > OnBoot function, you can call either:
CertMaker.StoreCert("example.com", certMyCert);
or
CertMaker.StoreCert("example.com", "C:\\temp\\cert.pfx", "TopSecretPassword");
The first call requires that your X509Certificate2 variable (certMyCert in this case) refer to a certificate that is already installed in your computer's Certificate Manager (certmgr.msc), so its private key can be found, while the second allows you to specify a PFX file from disk.

Resources