Troubleshooting: Browser Extension No Longer Supporting Self-Signed Certificates

Follow

Problem

Starting with Google's Manifest V3 update, browser extensions no longer support self-signed certificates. Therefore, you need to ensure certificates meet updated security requirements to maintain the Password Secure browser extension functionality.
 
 

Verify if a Self-Signed Certificate is used on IIS

To determine if your IIS (Internet Information Services) is using a self-signed certificate, follow these steps:
  • Open IIS Manager:
    • Press Win + R, type inetmgr, and press Enter.
  • Select the Website:
    • Expand the server node to see a list of sites in the connections' pane on the left.
    • The name of the site should either be "WebApp" or "WebClient" (legacy).
  • View Site Bindings:
    • Right-click the site and select Edit Bindings.
  • Locate the HTTPS Binding:
    • In the Site Bindings window, look for the entry with Type set to https. This is the binding that specifies the SSL certificate for the site.
    • Select the https binding and click Edit.
  • Verify if It’s Self-Signed:
    • In the SSL certificate field, you will see the name of the certificate currently assigned to this binding.
    • Click View next to the SSL certificate field. This opens the certificate details.
    • In the Certificate Information window, check the Issuer and Subject fields: If the Issuer and Subject are the same, this typically indicates a self-signed certificate.


Solution

Option 1: Using Let's Encrypt for Publicly Available Web Endpoints

For public endpoints, Let's Encrypt offers free, automated, and CA-signed certificates.
To issue a certificate, you need to use one of the available Let's Encrypt clients.
 
Note: Please refer to the corresponding client documentation, on how to issue and use a Let's Encrypt certificate.

Option 2: Switching to a CA Certificate for internal use, using an existing CA Server

For internal sites, replace the self-signed certificate with a CA-signed certificate to ensure compatibility with the newest Password Secure Browser Extension.
  1. Generate a Certificate Signing Request (CSR) in IIS.
  2. Submit the CSR to your Internal CA and retrieve the issued certificate.
  3. Install and bind the CA certificate in IIS to the WebApp.

Option 3: Using PowerShell to create a valid ca-based certificate

Note: To execute the following commands, you need to use PowerShell in a privileged session (run as Administrator).
Note: You need to modify the highlighted values to match your requirements.

Step 1: Create the root CA certificate
# Root CA certificate
$rootCert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My `
-Subject "CN=NpwsRootCA, O=MyOrganization, C=US" `
-KeyExportPolicy Exportable `
-KeyUsage CertSign, CRLSign, DigitalSignature `
-KeyLength 4096 `
-HashAlgorithm SHA256 `
-NotAfter (Get-Date).AddYears(10) `
-KeyUsageProperty All

# Export the root CA certificate to a file (for later distribution to your clients)
New-Item -ItemType Directory -Force -Path C:\CA
Export-Certificate -Cert $rootCert -FilePath "C:\CA\NpwsRootCA.cer"

Step 2: Issue a certificate signed by the root CA
$hostname = "passwordsecure.internal.mydomain.com" # Replace with your actual hostname

# CA signed certificate
$issuedCert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My `
-Subject "CN=$hostname" `
-TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1") `
-DnsName $hostname `
-Signer $rootCert `
-KeyExportPolicy Exportable `
-KeyUsage DigitalSignature, KeyEncipherment `
-KeyLength 3072 `
-HashAlgorithm SHA256 `
-NotAfter (Get-Date).AddYears(2)

Step 3: Import the root CA certificate on a client machine
To import the root CA certificate on a single client machine, follow these steps to ensure that the client trusts the certificates signed by your newly created root CA:
 
Note: This step is required on every client machine, which should be able to use the Password Secure browser extension.
For a larger scale deployment, consider using a GPO or Intune.
$rootCertPath = "C:\CA\NpwsRootCA.cer" # Update this path as necessary
Import-Certificate -FilePath $rootCertPath -CertStoreLocation Cert:\LocalMachine\Root
Have more questions? Submit a request

Comments