How can I make a self-signed certificate a trusted root certificate authority?


  • Hi all,
    I've created a self-signed certificate using IIS 7 and assigned it to my local website. It looks like that my connection to my local server is encrypted; but the problem is that certificate indicators in all browsers are red and read the following error:
    "The identity of the server you are connected to cannot be fully validated. You are connected to a server using a name only valid within you network, which an external certificate authority has no way to validate ownership of. As some certificate authorities will issue certificates for these names regardless, there is no way to ensure you are connected to the intended website and not a hacker."
    What does this error mean? Why doesn't this error get away when I add my certificate in "Trusted Certificate Root Authorities" in mmc>certificates? I wanna get a green indicator for my certificate in my browser! Is it possible?
    Thanks in advance.
    Monday, October 01, 2012 12:01 PM

All replies

  • Why doesn't any one answer this question? Is something wrong with my question!?
    Saturday, October 06, 2012 8:14 PM
  • Hi

    you could refer this article to create a self-signed root authority certificate and export,

    here is the link:

    hope it helps you.


    Monday, October 08, 2012 5:56 AM
  • Thanks for your link. It was greatly useful for me; but two problems: I read it and created two certificates, one as a certificate authority (Subject & Issuer: Hossein-CA) and added to the Trusted Root Certificate Authorities, and one for my localhost website (Subject: localhost, Issuer: Hossein-CA); but my certificate doesn't get fully validated and my browser address bar doesn't get green. This is one problem and the other one is that my localhost certificate uses the x.500 standard for naming but the browser doesn't show the full names in the address bar. Look at the following image:

    Here's my localhost's certificate subject according to x.500:

    CN = localhost
    L = myLocation
    S = myState
    C = US
    O = localhost, Inc.

    The following image has been taken from a trusted certificate authority's website named Thawte:

    This is Thawte's certificate subject:

    OU = Infrastructure Operations
    L = Mountain View 
    S = California
    C = US
    SERIALNUMBER = 3898261
    O = Thawte, Inc. = Private Organization = Delaware = US

    Why doesn't my browser address bar get green and show my certificate name?
    • Edited by itecompro Wednesday, October 10, 2012 2:49 PM
    Wednesday, October 10, 2012 2:44 PM
  • Please someone help me, I really need it...
    Friday, October 12, 2012 7:17 PM
  • Can't someone just help me!?

    The main problem has been shown in the pictures.


    Tuesday, October 23, 2012 8:40 AM
  • Surprised that no one has replied yet. You have to add your root CA certificate to the browser that you are connecting from. Hope that it works.

    I am trying to set myself up as well, but have not been able to create proper certificate with CRL and cert location info.

    Friday, May 10, 2013 3:36 PM
  • If you are trying to make a self-signed cert the CA Root for your site such that you will not get an "invalid cert" error message on your website, you cannot do this. A CA is a certified Authority (CA) which means that the certificate comes from a company or source that has been widely accepted as a valid certificate provider. It is what makes certificates cost money, but it also validates that the CA behind a certificate comes from a valid authenticating source.

    Each Web Browser has a list of trusted CAs (i.e. VeriSign, DigiCert, etc.) ... for Microsoft IE see:

    Therefore, when you create a self-signed cert, since Microsoft does not recognize the CA as matching their list ... it will consider it an invalid certificate always.

    Hope that answers your question. Basically, a CA MUST be from a valid certificate authenticator.

    Friday, September 30, 2016 8:56 PM