Jump to content

Recommended Posts

Purpose:

This process shows you how to generate a new certificate from your AD Certificate Store, which is compatible with recent security changes made in the Chrome browser.

 

Disclaimer:

These instructions involve granting your web server permissions to a Web Server Certificate template in your AD Store.  We encourage you to review and have this process approved before applying to your production environment.

 

1. Log into your Active Directory Certificate Authority server as a Domain Administrator

2. Open certtmpl.msc

3. In the Properties of the Web Server template, give your Passwordstate web server Read, Write and Enroll permissions, and click OK.

 

2017-05-17_10-42-28.png

 

 

4. Log into your Passwordstate web server as Domain Administrator, open certlm.msc

5. Expand Personal -> Certificates

6. Right click Certificates -> All Tasks -> Request a New Certificate

 

2017-05-17_10-30-48.png

 

7. Click Next

 

2017-05-17_10-31-14.png

 

8. Click Next

 

2017-05-17_10-31-34.png

 

4. Select the Web Server template, and click "More information is required to enroll for this certificate"

 

2017-05-17_10-42-50.png

 

4. Change Full DN to Common Name and type your Passwordstate URL.  Click Add

5. Change the Directory Name to DNS and type your Passwordstate URL.  Click Add

 

2017-05-17_10-44-50.png

 

6. Under the General tab, enter a Friendly name and click OK

 

2017-05-17_10-44-44.png

 

7. Click Enroll

8. Open IIS, and set the new certificate to your HTTPS web binding

 

2017-05-17_10-45-57.png

 

9. Now from your desktop, you should be able to browse to your Passwordstate website, and Chrome will now treat it as secure

 

2017-05-17_11-28-20.png

 

 

 

Related Error #1:

Certificates with a Signature Hash Algorithm of SHA-1 can also generate security warnings in later versions of Chrome.  You may see this error below if your certificate is signed using SHA-1.  There are different ways to upgrade your Certificate Store to SHA-256 but one of our customers kindly linked us to this article (Thanks Luis :) ), which helped him out:  https://technet.microsoft.com/en-us/library/dn771627.aspx

 

2017-05-19_8-13-06.png

 

 

Related Error #2:

When requesting this certificate on your web server, the wizard installs it in the Intermediate Certificate Authorities store, which can cause the browser on the web server not to trust the certificate.  You may notice this behavior:

 

2017-07-31_11-19-13.png

 

To fix this, either install the certificate using Internet Explorer into the Local Machine Trusted Root Certification Authority, or just copy and paste the certificate as per the below two screenshots.  You'll need to restart your browser for this to become effective:

 

Copy Certificate from This Location:

2017-07-31_11-17-39.png

 

Into this Location:

2017-07-31_11-20-06.png

 

 

 

 

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×