Self-signed trusted root certificate is not recognized by Edge

certificatemicrosoft-edgesslssl-certificate

For development, my team is using a self-signed SSL certificate. After installing the certificate in my machine's Trusted Root Certification Authorities store, the SSL certificate is recognized as valid in Chrome and IE 11:

Internet Explorer 11:

Chrome 69:

But Edge (version 42) seems to be ignoring the certificate:

Based on the message I'm getting from Edge ("This might be because the site uses outdated or unsafe TLS security settings"), I thought that my local development server might be using an outdated TLS version, but I can verify in Chrome's development tools that traffic is being encrypted using TLS 1.2:

Why does Edge seem to be ignoring my self-signed certificate that I have installed as a Trusted Root Certificate? How can I fix it?

Things I've tried:

Installing the same certificate in my Personal and Intermediate Root Certification Authorities stores
Restarting my machine

Best Solution

After quite a bit of investigation, we discovered the root cause - our company's antivirus software (Sophos) is blocking Edge (and only Edge) from reaching internal IP addresses. Edge's error message - "outdated or unsafe TLS security settings" - was misleading; Edge's requests weren't able to make it to the wire at all.

How to make IE8 trust a self-signed certificate in 20 irritating steps

Browse to the site whose certificate you want to trust.
When told “There is a problem with this website's security certificate.”, choose “Continue to this website (not recommended).”
Select Tools➞Internet Options.
Select Security➞Trusted sites➞Sites.
Confirm the URL matches, and click “Add” then “Close”.
Close the “Internet Options” dialog box with either “OK” or “Cancel”.
Refresh the current page.
When told “There is a problem with this website's security certificate.”, choose “Continue to this website (not recommended).”
Click on “Certificate Error” at the right of the address bar and select “View certificates”.
Click on “Install Certificate...”, then in the wizard, click “Next”.
On the next page select “Place all certificates in the following store”.
Click “Browse”, select “Trusted Root Certification Authorities”, and click “OK”.
Back in the wizard, click “Next”, then “Finish”.
If you get a “Security Warning” message box, click “Yes”.
Dismiss the message box with “OK”.
Select Tools➞Internet Options.
Select Security➞Trusted sites➞Sites.
Select the URL you just added, click “Remove”, then “Close”.
Now shut down all running instances of IE, and start up IE again.
The site’s certificate should now be trusted.

Java – How to automatically install self signed certificate in IE Trusted Root Certification Authorities store

Java 6 provides a cryptographic provider named SunMSCAPI to access the windows cryptography libraries API. This provider implements a keystore "Windows-Root" containing all Trust Anchors certificates.

It is possible to insert a certificate in this keystore.

KeyStore root = KeyStore.getInstance("Windows-ROOT");
root.load(null);
/* certificate must be DER-encoded */
FileInputStream in = new FileInputStream("C:/path/to/root/cert/root.der");
X509Certificate cacert = (X509Certificate)CertificateFactory.getInstance("X.509").generateCertificate(in);
root.setCertificateEntry("CACert Root CA", cacert);

The user will be prompted if for confirmation. If the operation is canceled by the user then a KeyStoreException is thrown.

Some technotes about the provider can be found here: http://download.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunMSCAPI

Best Solution

Related Solutions

What do I need to do to get Internet Explorer 8 to accept a self signed certificate

How to make IE8 trust a self-signed certificate in 20 irritating steps

Java – How to automatically install self signed certificate in IE Trusted Root Certification Authorities store

Related Question