We have a server on a local business network running an IIS7 php webapp which is served to other client machines throughout the building via a common domain http://ourinternalnetwork/. I was just wondering if anyone knew a way to install a self signed certificate without having any warning messages on the client machines accessing the https://ourinternalnetwork/ through Chrome.
We can make changes to each client machine manually if that would fix the issue? but is it just a case of installing this on the server in a particular way?
Thanks in advance!
To avoid the warning for a self signed certificate you will have to ask your clients to "install the certificate". Depending on which OS your users use, they will have to do different things.
Additionally since chrome 58 you need to ensure that the server's cert contains a subjectAltName with the proper DNS and/or IP entry/entries, even if it's just for a single host.
Mac OS X
Since Chrome doesn't show the certificate options next to the URL anymore, your users will have to open the developer tools (Option + Command + i) and go to the "Security" tab. Then click "View Certificate" and then drag the certificate image and drop it to any folder.
Next double click the cer file you've just saved and the Keychain Access will open.
Choose a keychain to store it and click "always trust".
If you're not being asked where to save it or if you should trust it, locate the newly added certificate (it should be at the top of your list), right click it, choose "get info" and then choose "Always trust" in the Trust tab, under "When using this certificate".
You could automate this with a script like this:
sudo security add-trusted-cert -p ssl -d -r trustRoot -k ~/Library/Keychains/login.keychain selfsigned.crt
Windows
Follow the same steps as on OS X to download the certificate, then click on Start and run the command certmgr.msc
Expand the tree to get to Trusted Root Certification Authorities | Certificates. Go to All Tasks, choose Import and import the certificate in question.
On Windows you can script this using the following command:
certutil -addstore Root C:\windows\temp\selfsigned.crt
selfsigned.crt would be the PEM encoded certificate to install.
It's been a couple years since I've used that but if you copy the cert to each machine and run that, it should be considered trusted. Ideally, the cert would have been signed by your IIS Certificate Authority so you can simply installed the self signed root CA cert on each machine and then any cert signed by that will be trusted automatically.