Chrome 58 and Self Signed Certificates in IIS

When working in development, sometimes you need to use an SSL certificate. There is no need to pay a provider to sign one for you, because you can create a ‘self signed’ certificate. IIS can do this out of the box for localhost - for more Information, see Scott Guthrie’s walkthrough on creating a self signed certificate in IIS.

That worked great, for a while. But with Chrome 58, which was released in May 2017, a new security feature was introduced which prevents Chrome from trusting a self-signed certificate generated by IIS. The problem is that IIS generates a self signed SSL certificate that doesn’t include a SubjectAlternativeName (SAN), and starting with Chrome 58, certificates without a SAN are seen as insecure.

Here is what Chrome 58 does for a self signed certificate created by IIS:

Thanks to an answer by Chris on Stack Overflow, I now know how to fix this:

  1. In chrome’s address bar navigate to chrome://flags/#allow-insecure-localhost
  2. Enable the ‘Allow Insecure Localhost’ setting
  3. Chrome will prompt you to restart Chrome – Restart Chrome

This will tell Chrome to ignore SSL certificate errors when browsing to localhost. The next time you visit your site in Chrome, you’ll still see the red icon, error, and strikethrough in the address bar, but as long as you are connecting to a port on localhost, Chrome won’t bother you or tell you that you aren’t allowed to load stuff from your site.

You can then ignore this error in the address bar - it’s there because Chrome analyzed the SSL certificate and saw the that the SAN was missing - but for local development purposes, Chrome will still let you use the site.