SSL Client certificate Microsoft Edge

Asked 6/10, 2016 at 14:18 Answered 20/11, 2023 at 20:25

I am having issue with Client Side certificates in MS Edge browser, Window 10. Basically my PKI structure is following:

RootCA(self signed 4096) -> Intermediate CA (signed by RootCA 2048)-> One Server Certificate, One client Certificate (both signed by Intermediate CA)

Apache setup with following SSL options

SSLCertificateFile - cert generated by Intermediate CA 2048

SSLCertificateKeyFile  - keyfile of above cert

SSLCACertificateFile  - Cert of my Intermediate CA chained with
RootCA cert

SSLCARevocationFile - Crl list generated by Intermediate CA

SSLVerifyClient require 

SSLVerifyDepth 10

SSLOptions +StdEnvVars

Client certificate generated as PKCS#12 chain file.

Now, tested with Firefox, Chrome and Internet Explorer 11 and everything is working as expected - without certificate you get 403 page, while when certificate is imported you can login and certificate is read by PHP file that basically outputs info collected with +StdEnvVars.

On Microsoft Edge v25.10586.0.0 when I go to https location, I get certificate selection window, but when I select appropriate certificate I still get 403 error. It is driving me nuts since it works pretty much everywhere except in Edge browser. Anyone can give me a hand at least where to start looking?

Haro answered 6/10, 2016 at 14:18 Comment(3)

have you found something to deal with this yet @Haro – Eohippus 25/10, 2016 at 21:51

@Eohippus yeah... all I had to do is relog, and it worked after that properly... Read something about it somewhere but cant recall where exactly – Haro 26/10, 2016 at 8:18

I don't even get the cert dialog displayed. – Amoroso 11/11, 2016 at 0:26

Of course, issue was more than stupid... For Edge to be able to pickup correct certificate and use it, you have to re-log or reboot...

Haro answered 26/10, 2016 at 8:18 Comment(4)

unfortunately this did not work for me. :/ would have been too easy. thanks just the same :) – Eohippus 26/10, 2016 at 16:30

@Eohippus sorry to hear that. Stupid question but, you do have your client certificate listed under Personal in certmgr.msc, right? – Haro 27/10, 2016 at 11:28

i placed out root ca under the localmachine trusted root cert auth store. our intermediate cert into the current user inermediate cert auth and the user cert into the current user personal store. chrome , ie11 work like a charm – Eohippus 27/10, 2016 at 22:13

@Eohippus ok here is what I have done with my client auth page... I create RootCA -> Intermediate CA -> Client cert Export Client cert with chain file (so that I have complete chain of trust, yes, when importing on Client machine it will nag you about trusting something, but I can live with that) When imported I have one Certificate under Trusted Root (my Root CA), one under Intermediate Cert (my Intermediate CA), and finally one under Personal certificate (which of course is my Client certificate). When I open it I can see whole chain of trust... And as said, it worked the moment I rebooted – Haro 28/10, 2016 at 11:6

Reboot and all the other advice did not help in my case. What helped was to understand that Microsoft developers failed to consider basic user experience guidelines.

The client certificate dialog showed one cert, the OK and the Cancel buttons. Only if the cert is selected, the OK button works as expected. If not, it just flickers - at least some feedback to the user that the mouse click was registered. But no hint is shown that I should have selected an entry from the certificate list. It would have already helped if the OK button remained inactive until a cert is select. But it's active regardless.

I have 30 years experience with Windows software - everything gets worse, especially the usability.

Steiger answered 20/11, 2023 at 20:25 Comment(0)

-1

Microsoft EDGE does not directly have a way to manage certificates or import certificates in order to avoid certificate errors. To allow a self-signed certificate to be used by Microsoft-Edge it is necessary to use the "certmgr.msc" tool from the command line to import the certificate as a Trusted Certificate Authority.

This can be done as follows:

Click on the red certificate error message to view the failing certificate
Click on View Certificate
Click on Export to File (any location, foo.crt)
Start a cmd shell and type the command "certmgr.msc" to open the certificate wizard
From the menu bar select "Action" > "All Tasks" > "Import..."
A popup window will appear asking for the "Store Location" Select Current User or Local Machine. Click Next.
A new popup window will appear asking for the File Name: Browse and select your exported certificate file, foo.crt and Click Open.
The popup will now have the full path to your certificate file, foo.crt. Click Next.
A new popup window will appear asking you to allow Windows to choose the "certificate Store" based on the certificate, or allow you to specify the certificate store manually. Select manual option, "Trusted Root Certificate Authority". Click Next.
A final popup will appear "Completing the Certificate Import Wizard". Review the settings and Click Finish.
You should get a "import successful" message.
Close the import wizard application and try the URL again in the EDGE browser. If this worked you will not get the certificate error and the page will load normally.

Assassin answered 2/7, 2020 at 14:42 Comment(0)

Recommended topics

Hot tags