2 min read

What is the function of HSTS

HSTS stands for HTTP Strict Transport Security and it tells your browser that your web content should always be served over HTTPS. See Security Headers for more info

Adding a signed localhost certificate to the Trusted Root Certification Authorities store

Newer versions of chrome require the server’s cert must contain a “subjectAltName” otherwise known as a SAN certificate. If you are using an older signed certificate which only references a commonName, then you might still get rejected by Chrome even if you’re certificate is valid.



Generate the certificate

Open Windows Powershell in Admin mode

Run the following command to generate a SAN certificate that expires in 5 years, saved to your Personal list of certificates

New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -NotAfter (Get-Date).AddYears(5) -DnsName "localhost" -FriendlyName "LocalHost SAN Certificate"


Export the certificate

Open the Certificate Manager (windows key => Manage Computer Certificates) and navigate to Personal => Certificates
Right click the certificate we just generated and click All Tasks => Export. Click next on the first screen
Click “Yes, export the private key” then click next
Make sure the “Export all extended properties” checkbox is checked and click next
Set a password
Save the file to your location of choice depending on your project (for example Download folder -> Certificates). Save it as “localhost.pfx”.
Click next until the export is finished


Import and trust the certificate

Now we need to import this certificate into our “Trusted Root Certification Authorities”. So with the certificate manager open, expand “Trusted Root Certification Authorities” and right click

Certificates => All tasks => Import

Click next, then browse for the file we just exported (you might need to change the file extension the windows explorer is searching for from .cer,.crt to .pfx). Select localhost.pfx and open.
Click next and enter the password we set previously and click next again
Make sure it’s placing the certificate in the Trusted Root Certification Authorities store
Finish the import.


Configure your Kestrel to serve the new certificate

If you’re using Kestrel to serve your development site, then you’ll have to use the new certificate in your Kestrel config:

new WebHostBuilder()
    .UseKestrel(options =>
            options.Listen(IPAddress.Loopback, 5001, listenOptions =>
                listenOptions.NoDelay = true;
                listenOptions.UseHttps("certificates\\localhost.pfx", "mypassword");

At this point you should be able to navigate to a localhost web page in chrome and chrome should trust the certificate.