I'm using powershell New-SelfSignedCertificate to create a certificate and import into trusted root for a .netcore project.

It has been working fine, but has recently stopped, certificate doesn't expire until 2024.

I'm on Chrome 106.

Any ideas on why it would stop and how to fix?

CodePudding user response：

We have a same Issue here. Since 106 it seems SelfSign Certificates are no more accepted by Chrome. I've read that Chrome is using its own Root Program now. Could that be the Problem? Do we need to import the certificate now in an different Store?

Thanks for any kind of help.

Regards

CodePudding user response：

Yes, Chrome has introduced its own certificate root store. They say this happened back in Chrome 105 but we've only started experiencing problems since Chrome 106 on enterprise environment.

On Windows you may disable this new feature via registry:

1. Create a REG_DWORD value ChromeRootStoreEnabled = 0 at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome
2. Restart Chrome

Taken from chromeenterprise. But don't forget that disabling this feature without understanding what you do may be a security risk - not a big one in this case but anyway.

The docs actually state that the new root store takes locally trusted certificates into account:

The Chrome Certificate Verifier considers locally-managed certificates during the certificate verification process. This means if an enterprise distributes a root CA certificate as trusted to its users (for example, by a Windows Group Policy Object), it will be considered trusted in Chrome.

We use our own CA to sign test websites HTTPS certificates on enterprise environment. So we seemingly must not have been affected. But even though everyone on the dev team has our CA installed in trusted root - we still face this issue. I'm not sure whether it's a bug or there is something else we need to know about which CAs are accepted and which are not.