What do I need to do to get Internet Explorer 8 to accept a self signed certificate?

Question

We use self signed certificates on our intranet. What do I need to do to get Internet Explorer 8 to accept them without showing an error message to the user? What we did for Internet Explorer 7 apparently isn't working.

EDIT: Internet Explorer 7 wouldn't show any errors if I put the certificate into trusted root certification authorities. Internet Explorer 8 seems to show errors even with the certificate there.

Answer 1

You can use CertMgr to add a certificate as a trusted publisher or if it is self-signed, as a root certificate

CertMgr.exe /add CertificateFileName.cer /s /r localMachine root

See Microsoft's documentation here:

https://learn.microsoft.com/en-us/windows-hardware/drivers/install/using-certmgr-to-install-test-certificates-on-a-test-computer

Answer 2

This may help someone I am on IE11 windows 7 and what I did In addition to install the certificate is Going to internet options ==> advance tab == > security ==> "remove the check " from warn about certificate address mismatch in addition to below - dont forget to close All IE instances and restart- after finishing :

1-Start Internet Explorer running .

2-Browse to server computer using the computer name (ignore certificate warnings)

3-Click the ”Certificate Error” text in the top of the screen and select ”View certificates”

4-In the Certificate dialog, click Install Certificate -> Next

5-Select Place all certificates in the following store -> Browse

6-Install to the trusted root Certification ..

then restart .

Hope this help someone .

Answer 3

If you are doing some local testing and that you add some alias in the hosts files say

127.0.0.1 www.mysite.com

and try to use any of the above procedures you will fail. The reason is that you will import a certificate for localhost. The certificate URL won't match.

In that situation you will have to generate a self-signed certificate and THEN import it as described above.

If you are using Xampp the generation of the correct certificate can be done easily using c:\xampp\apache\makecert.bat

Answer 4

I tried all mentioned solutions but none of them worked. Using Internet Explorer 11 (11.0.9600.17914), there was no way of accepting invalid certificates as the error looked exactly as an 404.

What helped was the following: - add host to trusted sites (as mentioned a couple of times here) - disable TLS 1.2 and enable SSL 1.0 & SSL 2.0

The last step is something you should ONLY DO if you know what you're doing. We need to use a pretty strange setup here at work, thus we couldn't find another way of getting access to the system. Usually, downgrading security like that should not be done.

Answer 5

I got it working like this

1. Start Internet Explorer running as a user with administrative privileges.
2. Browse to server computer using the computer name (ignore certificate warnings)
3. Click the ”Certificate Error” text in the top of the screen and select ”View certificates”
4. In the Certificate dialog, click Install Certificate -> Next
5. Select Place all certificates in the following store -> Browse
6. Check Show Physical Stores check box
7. Select Trusted Root Certificate Authorities – Local Computer
8. Click OK – Next – Finish – OK
9. Restart Internet Explorer

Answer 6

How to install the CA Root Cert, and not the Website Cert: (IE8, Win7)

When you bring up the certificate details you are looking at the website cert, and not the CA cert. The General tab will say, "This certificate cannot be verified..." You need to select the CA by clicking on the Certification Path tab, and selecting the top most cert in the path. It should have a red X icon, and should say, "This CA Root certificate is not trusted because..." Click the View Certificate button, and on this new General tab you should see, "This CA Root is not trusted..." This is the certificate that you want to import into the Trusted Root Certificate Authority.

Once you have imported the CA, you do not need to import the regular website cert. That cert will get matched up to the CA you just imported, and IE will treat everything as working normally. You do not need to run IE as Admin, and you do not need to add the site to trusted sites first. You do need to restart IE after the import.

Answer 7

How to make IE8 trust a self-signed certificate in 20 irritating steps

1. Browse to the site whose certificate you want to trust.
2. When told “There is a problem with this website's security certificate.”, choose “Continue to this website (not recommended).”
3. Select Tools➞Internet Options.
4. Select Security➞Trusted sites➞Sites.
5. Confirm the URL matches, and click “Add” then “Close”.
6. Close the “Internet Options” dialog box with either “OK” or “Cancel”.
7. Refresh the current page.
8. When told “There is a problem with this website's security certificate.”, choose “Continue to this website (not recommended).”
9. Click on “Certificate Error” at the right of the address bar and select “View certificates”.
10. Click on “Install Certificate...”, then in the wizard, click “Next”.
11. On the next page select “Place all certificates in the following store”.
12. Click “Browse”, select “Trusted Root Certification Authorities”, and click “OK”.
13. Back in the wizard, click “Next”, then “Finish”.
14. If you get a “Security Warning” message box, click “Yes”.
15. Dismiss the message box with “OK”.
16. Select Tools➞Internet Options.
17. Select Security➞Trusted sites➞Sites.
18. Select the URL you just added, click “Remove”, then “Close”.
19. Now shut down all running instances of IE, and start up IE again.
20. The site’s certificate should now be trusted.

Answer 8

You need to make sure that the Self Signed Certificate uses the correct common name for the domain you are setting up. If you are going to use the same certificate for multiple domains you need to either have a unique certificate for each domain, or if all of your ssl sites are subdomains of a common domain, then you can generate a certificate with a wildcard domain like *.domainname.tld.

If you don't set up your common name correctly in your self signed certificate then Chrome and Firefox may work, but IE might not be able to find the certificate when you load the site each time. In IE it will appear like you have added the site's cert but in fact on page load it will never be found.

how to set up SSL for Apache for a Mac so I can test Cross Domain iFrame on IE8

Answer 9

I have tried lots and lots of steps from different people posted on different websites. But none of them mention that I should add the certificate into the Trusted People keystore.

That's right, placing it under trusted CA is not enough for my case, I have to put the certs inside the Trusted People also.

That's:

1. Run MMC
2. Add Certificate Snap-in choose Local Computer
3. Expand Certificates(Local Computer) -> Trusted People -> Certificates
4. Right click All Task -> Import
5. Finish the wizard

To export the certificate:

1. Run IE as admin (right click, run as admin)
2. When prompted invalid cert, go ahead visit the website anyway
3. Click the certificate error near the address, click view certificate
4. Go to Details tab, click Copy To file
5. Save as *.cer file.

I'm on IE9, Windows 7

Answer 10

As everyone else has mentioned, the first task is to add the certificate to the Trusted Root Authority.

There is a custom exe (selfssl.exe) which will create a certificate and allow you to specify the Issued to: value (the URL). This means Internet explorer will validate the issued to url with the custom intranet url.

Make sure you restart Internet Explorer to refresh changes.

Answer 11

If you're getting an address mismatch error, just allow address mismatches:

1. Tools and select Internet Options
2. select the Advanced tab
3. Scroll down and uncheck Warn about certificate address mismatch

Answer 12

Unfortunately none of the solutions worked for me. I used Internet Explorer 8 on Windows 7. When I was looking for a solution, I found the settings about login information in the control panel. So I added a new entry under the certificate based information with the address of my server and I chose my prefered certificate.

After a clear of the SSL cache in Internet Explorer 8 I just refreshed the site and the right certificate was sent to the server.

This isn't the solution which I wanted, but it works.

Answer 13

Make sure that your self-signed certificate matches your site URL. If it does not, you will continue to get a certificate error even after explicitly trusting the certificate in Internet Explorer 8 (I don't have Internet Explorer 7, but Firefox will trust the certificate regardless of a URL mismatch).

If this is the problem, the red "Certificate Error" box in Internet Explorer 8 will show "Mismatched Address" as the error after you add your certificate. Also, "View Certificates" has an Issued to: label which shows what URL the certificate is valid against.

Answer 14

You can use GPO to use the certificate within the domain.

But my problem is with Internet Explorer 8, that even with the certificate in the trusted root certification store... it still won't say it's a trusted site.

With this and the driver signing that needs to be done now... I'm starting to wonder who owns my computer!

Answer 15

What were you doing before? For self-signed certificates, I would normally install the certificate locally on the client system.

You may be able to use Group Policy to push a certificate to every system.

Answer 16

Here is how I got it to work in IE8:

1. Go to the website in question, https://xxx.yyy.com, for instance,
2. Click through until you get to the Certificate error in the browser status line.
3. View the cert, then from the Details tab, select Copy to File.
4. Save to the desktop as xxx.cer, for example,
5. Start, Run, MMC.
6. File, Add/Remove Snap-In,
7. Select Certificates, Click Add, My User Account, then Finish, then OK,
8. Dig down to Trust Root Certification Authorities, Certificates,
9. Right-Click Certificate, Select All Tasks, Import,
10. Select the Save Cert from the Desktop
11. Select Place all Certificates in the following Store, Click Browse,
12. Check the Box that says Show Physical Stores, Expand out Trusted Root Certification Authorities, and select Local Computer there, click OK, Complete the Import,
13. Check the list to make sure it shows up. You will probably need to Refresh before you see it. Exit MMC,
14. Open Browser, select Tools, Delete Browsing History
15. Select all but Inprivate Filtering Data, complete,
16. Go to Internet Options, Content Tab, Clear SSL State,
17. Close browser and reopen and test.

Answer 17

Man, today I've spent a few hours fighting this problem. No matter what I did in the IE 8, the problem remained. The certificate installed by the IE appears in the Trusted Root Certification Authorities of the client PC, however the IE still complains no matter what.

Here's the solution I've discovered:

On the web server:

• Win+R, MMC, Enter.
• File, Add-Remove snap-in, Certificates, Add, Manage certificates for: my user account, Finish, OK.
• Navigate to "Certificates - current user / Trusted Root Certification Authorities / Certificates".
• Find your certificate, right-click, All tasks / Export.
• "No, don't export the private key"
• "DER Encoded binary X.509 (.CER)"
• Save the file somewhere.
• Transfer the newly created .CER file to the client PC.

On the client machine:

• Win+R, MMC, Enter.
• File, Add-Remove snap-in, Certificates, Add, Manage certificates for: my user account, Finish, OK.
• Navigate to "Certificates - current user / Trusted Root Certification Authorities / Certificates".
• Right-click on Certificates container, All tasks / Import
• Choose your .CER file you've transferred from the server machine.
• On the next screen, choose "Place all certificates in the following store", click "Browse", check "Show physical stores", then choose "Trusted Root Certification Authorities / Local Computer".
• Press "Finish" finally.
• In Internet Explorer: Tools - Delete browsing History,
• In Internet Explorer: Tools - Internet options - "Content" tab - Clear SSL state button.

Answer 18

I had the same issue while working with web services. Here Microsoft has a (long) walk-thru showing you how to install stuff on the client to basically say that your self-signed cert is ok. In the end, I just spent the $30 and bought a full certificate from Godaddy.com.

P.S. I know that you can code around the error message but we didn't want to do that for testing reasons.

Answer 19

It doesn't look like it's possible to not have the certificate error any more. I'm on Windows XP with IE 8. Group Policy had installed a self-signed certificate as a trusted root certificate for access to an internal site. When I look at MMC with the certificate snap-in I can see the certificate there OK.

When I look at:

Internet Options => Content => certificates

It isn't there!

This behaviour in IE started since our admins let loose with the last lot of Patch-Tuesday updates which installed on my machine on 10th Dec 2009. Prior to that it was quite happy to accept the certificate as valid.

Answer 20

It's not enough to install the certificate itself, instead you need to install the root certificate of your certification authority. Say if you use Win Server's Certificate Services, its root certificate which was created when CS was installed on that server is the one to be installed. It must be installed to the "Trusted Root Certification Authorities" as described earlier.

Answer 21

You should install your certificate as a trusted authority on your computer.

There are numerous way to do that, for exampe you could use mmc (start/run/mmc), add the Certificates Snap-In, and from there you can install your self-signed certificate.

There's no way around that because the whole point of certificates is to warn the user if the website he's visiting has not been certified by a trusted authority.