Self-Signed Cert with TLS 1.2

iisself-signedssltls1.2

I'm a novice in regards to Transport Layer Security stuff, to bear with me…

I have some https web apps that I test locally using self-signed certs created with selfssl.exe. The company recently pushed new rules to everyone's machines that prevent the browsers from loading https sites that use anything other than TLS 1.2. However, my browsers give me certificate errors when I load my locally-hosted test stuff if TLS 1.0 is not enabled. Is it possible to generate self-signed certs that will work with my browsers if only TLS 1.2 is enabled?

I'm using Windows 7 64 bit with IIS 7.5, and I test with a variety of browsers (IE 11, Firefox 46, and Chrome 50).

Best Answer

No, it is not possible

SSL/TLS in all versions works with x509 digital certificates. The difference between TLS versions is the protocol rules, not the certificate.

The browser warns usually when the used protocol is old(consideres less secure) or the certificate is not trusted

Related Solutions

.net – How to solve “Could not establish trust relationship for the SSL/TLS secure channel with authority”

As a workaround you could add a handler to the ServicePointManager's ServerCertificateValidationCallback on the client side:

System.Net.ServicePointManager.ServerCertificateValidationCallback +=
    (se, cert, chain, sslerror) =>
        {
            return true;
        };

but be aware that this is not a good practice as it completely ignores the server certificate and tells the service point manager that whatever certificate is fine which can seriously compromise client security. You could refine this and do some custom checking (for certificate name, hash etc). at least you can circumvent problems during development when using test certificates.

Wcf – Is it possible to force the WCF test client to accept a self-signed certificate

You can create a non self-signed certificate in development area and then use this certificate in IIS for applying the SSL. The steps are:

Create self-signed certificate

makecert -r -pe -n "CN=My Root Authority" -a sha1 -sky signature 
    -ss CA -sr CurrentUser  
    -cy authority 
    -sv CA.pvk CA.cer

Create a non self-signed certificate for SSL which signed by this root certificate and then create pfx-file from that

makecert -pe -n "CN=servername" -a sha1 -sky exchange
    -eku 1.3.6.1.5.5.7.3.1 -ic CA.cer -iv CA.pvk
    -sp "Microsoft RSA SChannel Cryptographic Provider"
    -sy 12 -sv server.pvk server.cer

pvk2pfx -pvk server.pvk -spc server.cer -pfx server.pfx

now you just need to import the server.pfx into the IIS and setup the web site binding to use this certificate and also install the CA.cer in Local Computer \ Trusted Root Certification Authorities store in both server and client by doing this WCF client would work with the service through HTTPS without any problem.

Best Answer

Related Solutions

.net – How to solve “Could not establish trust relationship for the SSL/TLS secure channel with authority”

Wcf – Is it possible to force the WCF test client to accept a self-signed certificate

Related Topic