Modern browsers now actively warn against SHA-1 signed certificates due to cryptographic weaknesses. While IIS Manager's default self-signed certificate generator still uses SHA-1, we need better alternatives for local development.
Here's how to create a proper SHA-256 certificate using PowerShell's New-SelfSignedCertificate cmdlet:
# Generate new certificate with SHA256
$cert = New-SelfSignedCertificate
-CertStoreLocation "cert:\LocalMachine\My"
-DnsName "localhost", "dev.example.com"
-FriendlyName "Local Dev Certificate"
-KeyAlgorithm RSA
-KeyLength 2048
-HashAlgorithm SHA256
-KeyExportPolicy Exportable
-NotAfter (Get-Date).AddYears(5)
# Export as PFX without password (optional)
Export-PfxCertificate
-Cert $cert
-FilePath "C:\certs\devcert.pfx"
-Password (ConvertTo-SecureString -String "" -Force -AsPlainText)
1. "A specified logon session does not exist" Error
This occurs when the certificate's private key permissions aren't properly configured. The solution:
# Grant IIS access to private key $certPath = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName $keyPath = "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\$certPath" icacls $keyPath /grant "IIS AppPool\DefaultAppPool":RX
2. Missing Private Key in IIS Manager
If your certificate icon lacks the key symbol, ensure:
- You imported the .PFX file (not .CER)
- The certificate was marked as exportable during creation
- The IIS worker process has read access to the private key
For Chrome/Edge/Firefox to trust your certificate:
# Import into Trusted Root Store
Import-Certificate
-FilePath "C:\certs\devcert.cer"
-CertStoreLocation "Cert:\LocalMachine\Root"
For cross-platform consistency, you can use OpenSSL:
# Generate private key openssl genrsa -out dev.key 2048 # Create CSR openssl req -new -key dev.key -out dev.csr -sha256 # Generate cert openssl x509 -req -days 3650 -in dev.csr -signkey dev.key -out dev.crt -sha256 # Convert to PFX openssl pkcs12 -export -out dev.pfx -inkey dev.key -in dev.crt
- Always use at least 2048-bit RSA keys
- Set appropriate expiration (1-5 years for dev certs)
- Include all relevant DNS names (localhost, *.local, etc.)
- Consider using SAN (Subject Alternative Names) certificates
Modern browsers now flag SHA-1 certificates as insecure, displaying warnings like "This site makes use of a SHA-1 Certificate" in developer tools. This creates noise during development and potentially masks real security issues.
For IIS 7.5+ environments, use PowerShell to generate SHA-256/512 certificates:
# Generate SHA-256 certificate
$cert = New-SelfSignedCertificate
-CertStoreLocation "cert:\LocalMachine\My"
-DnsName "dev.example.com"
-FriendlyName "Dev SHA-256 Cert"
-HashAlgorithm "SHA256"
-KeyLength 2048
-KeyAlgorithm RSA
-KeyUsage DigitalSignature, KeyEncipherment
-NotAfter (Get-Date).AddYears(5)
# Export to PFX without password (for dev convenience)
Export-PfxCertificate -Cert $cert -FilePath "C:\certs\dev_sha256.pfx" -Password $null
Common pitfalls when working with self-signed certs:
- Wrong file type: Always select .pfx during import (not default .cer)
- Trust errors: Double-import into both "Personal" and "Trusted Root Certification Authorities" stores
- Binding issues: The "A specified logon session does not exist" error typically requires resetting IIS worker process identity permissions
For containerized development, generate certs during build:
# Dockerfile example
RUN openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
-keyout /etc/ssl/private/nginx-selfsigned.key \
-out /etc/ssl/certs/nginx-selfsigned.crt \
-subj "/CN=localhost" \
-addext "subjectAltName=DNS:localhost" \
-sha256
While not recommended for production, Chrome can temporarily bypass SHA-1 warnings:
chrome.exe --ignore-certificate-errors --ignore-urlfetcher-cert-requests
For Firefox, navigate to about:config and set security.ssl.enable_sha1_local_anchors to true.
VS 2022+ automatically generates SHA-256 certs for ASP.NET Core projects. Verify with:
dotnet dev-certs https --check --verbose