mirror of
https://github.com/FiloSottile/mkcert.git
synced 2026-04-25 05:26:03 +03:00
[GH-ISSUE #148] IIS complains about missing intermediates #89
Labels
No labels
TLS stack issue
Windows
bug
duplicate
duplicate
enhancement
help wanted
help wanted
pull-request
question
question
root store
waiting for info
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/mkcert#89
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @natiki on GitHub (Mar 13, 2019).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/148
Hi,
Generated my new wildcard certificate as:
I then go to IIS > Server Certificates and try and import it but am prompted for a password?
What am I missing here? It is not my login password.
@FiloSottile commented on GitHub (Mar 13, 2019):
The password is “changeit” (for unfortunate legacy PKCS#12 reasons). The output of mkcert should have mentioned it, didn’t it?
@natiki commented on GitHub (Mar 13, 2019):
@FiloSottile OMG sorry about that, RTFM!!!! It does indeed say that. My apologies for being like a typical user and not reading things.
@FiloSottile commented on GitHub (Mar 13, 2019):
It’s ok, we all glance over things from time to time :)
@natiki commented on GitHub (Mar 13, 2019):
Seems IIS now belives there are missing intermediates?
@FiloSottile commented on GitHub (Mar 13, 2019):
That’s weird, as mkcert does not use intermediates.
The message says “installed”, maybe it wants the root in the system store? In that case running “mkcert -install” might fix it, but that would be a weird requirement.
@natiki commented on GitHub (Mar 13, 2019):
I had previously run
mkcert -intalland it said it had installed it? Re-ran it just to be sure and the response is:Using the local CA at "C:\Users\{OmittedForSecurity}\AppData\Local\mkcertand I can see the CA as:
@FiloSottile commented on GitHub (Mar 13, 2019):
I’m afraid we have to wait for someone who actually dealt with IIS, I have never actually used it.
@CW92 commented on GitHub (May 1, 2019):
When using the certificate locally I don't get this issue but when I move it to a VM I get the same error.
Looking at my local machine I have a Certificate created and it is using that (Named "mkcert {Domain}{Username}").
I exported this certificate as .p7b and then imported this on my VM and no longer saw this message pop up in IIS.
@natiki commented on GitHub (May 1, 2019):
My case was Windows 10 running on bare metal.
@CW92 commented on GitHub (May 1, 2019):
If you go to MMC > Certificates > Choose the Certificate > Certification Path, does this certificate appear at the top level or as a sub certificate?
@natiki commented on GitHub (Jun 19, 2019):
Top level
@martinib77 commented on GitHub (Jun 24, 2021):
I'm having the same problem. Did somebody find a solution ?
@CW92 commented on GitHub (Jun 24, 2021):
I am not having the same issue, in Powershell Admin (Don't know if Admin mode is required but I use it for personal preference).
Created a new one running:
(Screenshot from Powershell)
When I import my certificate into IIS I am not getting this, looking at the server certification path I have the top as the machine signing the cert (mkcert -install cert) and then "2021-06-24.localtest.me" (My newly created cert).
(Screenshot from Certificate)
When I have had issues it is due to the certificate not containing the top level Signing Certificate, if the one generated from mkcert is missing the signing Certificate then this can be exported from MMC.
Please let me know if after trying both of these that neither option is working and I will see if I have to do any other steps.
@martinib77 commented on GitHub (Jun 24, 2021):
I did both options.
But the moment i save the Binding on IIS the intermediate certificates error appears.
Viewing the certificate, everything is ok
And when i use Chrome to browse the site, it shows as secured site.
But then , when my app in .NET Core tries to download a file from the site it gives:
I assume the error is the same that IIS is showing when saving the binding.
@CW92 commented on GitHub (Jun 24, 2021):
I think the issue with .Net Core is It looks like the Subject Alternate Name for the certificate in IIS is "2021-06-24.localtest.me" whereas the binding is localhost which is causing a mismatch preventing the .Net Core application from trusting the certificate.
However I have also found this can be due to the server not trusting the Certificate, to fix this I normally copy the Certificate (and any parents) into Trusted Root CA folder (In MMC) however recently on occasion I have had to add them to Trusted People as well.
@martinib77 commented on GitHub (Jun 24, 2021):
Installing on Trusted Root CA folder (In MMC) solved the issue !
After installing the generated localhost.pfx certificate, IIS doesn't give the warning message anymore, and .NET Core also trust the certificate.
It looks like the Subject Alternate Name for the certificate in IIS is "2021-06-24.localtest.me" whereas the binding is localhost which is causing a mismatch preventing the .Net Core application from trusting the certificate
The moment i solve the IIS error, it gives me the name mismatch, but generating again the certificate for localhost solved the problem
@cam-m commented on GitHub (Dec 11, 2024):
I've just hit this issue.
The problem is that 'mkcert -install' is installing the root CA cert in the Current User Store, and IIS is using the Machine (Local Computer) Store.
When the localhost cert is installed in IIS this puts it in the Machine Store - the CA Cert is missing from the chain because its in a different store - the Current User Store.
Fixing #550 would likely address this issue more permanently, but the workaround is to just export the root CA cert from the Current User Store (certmgr) and import it into Trusted Root Certification in the Local Computer Store (certlm).
Worked for me (Windows 11)
@User00015 commented on GitHub (Jul 22, 2025):
Following the steps to use mkcert to install SSL Certs for IIS has also caused me this issue. Going to chalk this one up to "Probably should just use NGINX".
@eriteric commented on GitHub (Oct 1, 2025):
Just to chime in.. I don't think this is an issue with IIS/windows. I have the same issue on some self-hosted docker apps running on linux with nginx :). One was with the obsidian livesync plugin, and another was with n8n, but most apps don't show any error so it was a surprise when I started seeing this pop up only in the last couple days.
Errors in n8n were:
getaddrinfo ENOTFOUND website.comunable to verify the first certificateErrors in obsidian livesync:
android sslhandshakeexception trust anchor for certification path not foundI was able to solve this in n8n by adding an environment variable that fortunately they made available:
NODE_TLS_REJECT_UNAUTHORIZED=0Which, essentially just turns off this check. Fine for my case in a closed network.
So, it seems some apps check for intermediates as a matter of necessity. Possible for mkcert to help mitigate that? or is this just edge cases? Things to ponder...