Windows 10: An invalid [self-signed] CA certificate exists on Windows 10 Pro, but...

Statement of the Problem: An invalid self-signed CA certificate which all browsers says it's using, can't be found by standard Windows tools so it can be removed.Background: I have a small self-hosted environment in Docker on Windows 10. I've identified a bogus CA certificate present on the box because it is self-signed by "Linuxserver.io". It appears that this is being presented when I connect to that Docker service over SSL instead of the one from Let's Encrypt and therefore the connection fails.Details of Identified Certificate: When I hit localhost on the host port of 844

:)

 

Accept self-signed certificate system-wide without installing as root CA

If the server is under your control:

1. Create an actual root CA (e.g. with easy-rsa or Xca or Windows Server CA role).
   
2. Replace the self-signed server certificate with one issued by your custom CA.
   
3. Make sure the certificate you just issued is actually marked as a "leaf" / "end-entity" certificate. Look for the "X.509v3 Basic Constraints" extension – it must be present and say "CA: FALSE".
   
4. Install the custom CA's root certificate into your computer.
   
5. Safely store the CA private key so that it's only accessible whenever you need to issue a new cert.
   

As the server's certificate contains "Basic Constraints: CA: FALSE", it will not be able to issue new certificates using just its own key.

(The reason you need the CA to be separate is because directly installing the server's self-signed certificate into the "Trusted CA" folder may cause the system to ignore Basic Constraints – after all, it's installed as an authority. Separation avoids this problem, because you can safeguard the root CA keys.)

As a bonus feature, you won't need to re-trust the server certificate when it expires or when its name changes – just use the same root CA to issue a new cert.

 

How to add self-signed certificate to my PC?

My PC is Windows 10 Pro x64 and I have Edge and Chrome browsers installed.

I installed my firewall's Certificate Authority into the windows certificate store by going to MMC, adding Certificates, and adding it to the Trusted Root CA. I now see my firewall root CA as (firewallCA).

Now I created a CNAME in my DNS to access my firewall as fw.example.com which only resolves internally. I then generated on my firewall a self-signed certificate. Once created, I downloaded the certificate and also added it to the MMC->Certificates.

I can now open IE or Edge and go to https://fw.example.com and not get a certificate error. However, if I use Chrome, I still get the error. I went to the Chrome advanced settings and see the firewallCA listed, but not the self-signed cert. I guess I have to add it manually, but I want it to apply to any user on this PC. How can I add the self-signed cert to Chrome for all users?

 

Accept self-signed certificate system-wide without installing as root CA

For an intranet server I use a self-signed certificate which I want to trust system-wide. I added the certificate exception to Firefox, but this is not possible in Chrome, console applications, IDEs, ...

This is why I want the certificate to be trusted system-wide. As I understood it, the recommended way is to install it as root CA: Installing a Self-Signed Certificate as a Trusted Root CA in Windows Vista

As I also understood it, this means that whoever controls the self-signed certificate now controls a root authority which can sign forged certificates for any site on my machine. Is this true and if yes, how can I prevent this? I just want to have a single intranet server self-signed, not potentially all services I use.

What is the recommended way to deal with intranet TLS here?