Are self-signed SSL certificates still allowed in 2023 for an intranet server running IIS?

I'd just like to confirm that self-signed certificates are still allowed in 2023-2034 for an IIS server that is not exposed to the internet and serves up only intranet apps. I'm asking because I'm repeating a process I've used for the past several years but it's not working this time. Browsers are rejecting the certificate as invalid. Has there been another industry tightening of security related to SSL certificates?

I've been creating a self-signed SSL certificate in PowerShell, importing it into Trusted Root Certification Authorities on that Windows Server, and then changing the bindings in IIS Manager to use the imported certificate. [The cert without private key is imported into Trusted Authorities on the desktops.] This time, the import of the certificate into the server's Trusted Root Certification Authorities is successful, changing the https bindings in IIS is successful, but then when I try to access a web app from a desktop, the browser is saying the certificate is invalid and the connection is not private.

This has always been the case. All web browsers will and have to check the validity of a server certificate and warn the user about it if it's not valid.

If you are using a self-signed certificate, you need to explicitly make it trusted on the client system, otherwise you'll get exactly this complaint.

I find strange this didn't happen to you before, because it's supposed to happen, and it has always happened since SSL has been invented.

I can reproduce the "the certificate is invalid and the connection is not private", so the recent changes in Chromium derived browsers seem to make it rather painful to use self signed certificates even if the sites are internal.

If you test with legacy browsers like Internet Explorer, you should see the self signed certificates work flawlessly.

Usually browser vendors make such changes to remedy security risks, and the common solution is to issue certificates using your internal CA (from AD or similar systems).

Absolutely!! Using a self signed certificate for local intranets/infrastructure is totally acceptable, often it is the ONLY solution on private infrastructure with no internet access.

Without specific information about the error messages the browsers are producing or the specifics of how the certificate was set up, it's difficult to say definitively. However, here are common issues that might cause your certificate to be rejected:

1. Not in Trust Store: The self-signed certificate has not been installed in the appropriate trust store on the machines that are trying to access the website. Every operating system has its certificate stores and a self-signed certificate needs to be added to that store.

2. Certificate Mismatch: The common name (CN) on the certificate does not match the hostname or IP address of the IIS server.

3. Inappropriate Certificate: The certificate used does not support server authentication. If this is the case, even though the certificate is installed correctly, it will not be deemed valid.

4. Expired Certificate: The certificate is expired. Self-signed certificates have an expiration date, and if it's past that date, browsers will not trust that certificate.

5. Weak Hashing Algorithm: If your certificate uses SHA-1 as the hashing algorithm, this could be the reason. Modern browsers no longer trust certificates that use SHA-1 due to its security vulnerabilities and have started to require at least SHA-256.

6. Private Key: For certain applications, the private key must also be installed on the server and properly linked to the certificate.

Please examine the specifics of the error messages you're receiving from the browsers, it should give a more exact insight into why the certificate is being considered invalid. If nothing works, consider reaching out to your system admin or IT support for professional advice.