Scenario: We run our own Certificate Authority for internal server to server TLS connections. Created a new SSL certificate for a web server. Deployed to server, SSL works....
Send CA public key and certificate public key to "client" machine (another Windows server), import certs into registry.
In theory I should be able to open the webserver via https without error.
However I get "Invalid cert, self signed" (paraphrased) with each way I tried: Firefox, IE, Postman.
The error messages in detail:
- Firefox: ...uses an invalid security certificate MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
- IE: The security certificate presented by this website was not issued by a trusted certificate authority.
What do I miss?
Self-signed certificates are only trusted if they are marked as such; otherwise they are un-trusted and provide no real worth. Browsers (and applications) generally show an error when they are presented with such certificates, which is what you're seeing.
The self-signed certificate should be in Windows's Trusted Root Certification Authority store for Internet Explorer (and Chrome) to recognise it as a Root CA.
Firefox uses it's own trust-store, therefore the self-signed certificate needs to be added. From Options > Privacy and Security > View Certificates, select the Authorities tab and add the certificate. Click Edit Trust... and select This certificate can identify websites.