How do I restore a missing IIS Express SSL Certificate?

150
votes

After setting up HTTPS in IIS Express, according to such articles as this and this, I am unable to actually load an IIS Express site using HTTPS. In Chrome, I am only getting:

This webpage is not available (with error code "ERR_CONNECTION_RESET")

...and in IE I am only getting:

Internet Explorer cannot display the webpage

...when I follow the directions in those articles.

It appears this has to do with the fact that the "IIS Express Development Certificate" that IIS Express installs automatically has been removed. How do I get this certificate reinstalled?

8
sslhttpsssl-certificateiis-express
Also happened to me trying to run IISExpress on port 443 (or actually on any port outside the 44300-44399 range)Gerardo Grignoli
Note: the accepted answer to this question is applicable even where the IIS Express localhost certificate is present and appears to be fine.haymansfield
For Visual Studio 2017 see stackoverflow.com/questions/44142037/…RickAndMSFT

8 Answers

213
votes

Windows 10 users: Repair is only in the Control Panel, not in the Add Remove programs app. I typically run appwiz.cpl to launch the old control panel applet and run repair from there.

Windows 7 and 8.1: After going to Add/Remove Programs and choosing the "Repair" option on IIS Express, the certificate has been reinstalled and I can now launch IIS Express sites using HTTPS.

Repair IIS Express

The certificate is back:

IIS Express Development Certificate

And I can now launch the IIS Express site using HTTPS:

Success!

186
votes

For Visual Studio 2015, IIS Express 10, Windows 10, these options didn't work for me. IIS Express 10 didn't have a repair option.

I managed to solve the problem using the IisExpressAdminCmd.exe command available at C:\Program Files (x86)\IIS Express.

From an elevated command prompt run:

cd C:\Program Files (x86)\IIS Express
IisExpressAdminCmd.exe setupsslUrl -url:urlToYourSite -UseSelfSigned

Replacing urlToYourSite with your url.

e.g.

cd C:\Program Files (x86)\IIS Express
IisExpressAdminCmd.exe setupsslUrl -url:https://localhost:44387/ -UseSelfSigned

After that I closed IIS Express and restarted my site from Visual Studio and it prompted to automatically trust the self-signed certificate.

Hope that helps.

42
votes

Also note that for IIS Express to work with SSL, the port used needs to be in the 44300 through 44399 range (http://www.iis.net/learn/extensions/using-iis-express/running-iis-express-without-administrative-privileges).

So, if you're using IIS Express in Visual Studio, make sure the port selected is in the required range: vs setting for iis express

40
votes

Sometimes this error is because of a different certificate installed for localhost. If that is the case, there is no need to restore the IIS Express certificate. Instead, you can do the following to tell IIS Express to use your existing certificate:

  1. Open the Certificates MMC snap-in as described here
  2. Find your localhost certificate e.g. under Personal...Certicates and get its thumbprint:
    1. Bring up the properties dialog for the localhost certificate and find the Thumbprint property
    2. Paste the thumbprint value into Notepad (or whatever) and remove the spaces and any special characters at the beginning
  3. Find the port value of your IIS Express project:
    1. Go to the project properties in Visual Studio and finding the "SSL URL" value, e.g. "https://localhost:44300/MyApp".
    2. In this example 44300 is the port number. If yours is different, change that value in the later commands.
  4. Use the following commands in an administrative command prompt (not Powershell):

netsh http delete sslcert ipport=0.0.0.0:44300

netsh http add sslcert ipport=0.0.0.0:44300 certhash=your_cert_hash_with_no_spaces appid= {123a1111-2222-3333-4444-bbbbcccdddee}

The Guid in the above command can be replaced with one that you generate. It does not correspond to any existing IIS Express value.

For further reference see Handling URL Binding Failures in IIS Express.

13
votes

With new Chrome 58, nothing from the answers below will help. I've just spent 1 hour uninstalling / reinstalling certificates and trying to find out where the problem is.

Apparently Chrome 58 will refuse certificate because "missing_subjectAltName"

The solution is either "badidea" passphrase or if you need to open popups for login you have to use:

chrome://flags/#allow-insecure-localhost

The source is and the upvote belongs to: https://stackoverflow.com/a/38926117/2089232 :)

4
votes

I wanted to add this, because it is ridiculous but maybe it will help someone. Keep in mind that I had never opened my project properties before so I have no idea how this happened (I did not change this myself or have the opportunity to), but in Project > Properties > Web my SSL url was listed as my usual URL but as http instead of https (had previously been https because it was working before). I went through all the steps listed on this page, uninstalled VS, then IIS, and finally noticed the error which should have been https://mySSLURL (but was missing the s in https). Once I changed http to https everything worked again.

1
votes

I just had this issue after updating my VS 2017 to the latest version(s) and created a new (.Net) MVC/WebAPI project (from template). I was able to fix this by adjusting my port numbers to be within the correct range

Chorme Default Port Ranges for DEV SSL

Which I was able to find here: https://www.pluralsight.com/guides/visual-studio-2017-resolving-ssl-tls-connections-problems-with-iis-express

Hope this helps!

0
votes

You can reinstall IIS Express 10.0 (or whatever version you need) to fix the missing certificate. Download from Microsoft here