Sorted. The below works, alternatively you could recreate the selfsigncert on you domain controller cert server but add the addtional 'subjective alternate name' entries ( which is the same as the cn entry plus any other dns name's associated to the same ip) then convert the pfx file to a keystore type....etc:

Here are my instructions using the KeyStore Explorer tool.

The 2 things I was previously missing when I created the cert were:

• AKID (Authority Key Identifier) - select the same "CN=" you used when creating it.
• Adding in the "Basic Constraints" option (do not select "is a CA")

Without those 2 things Chrome will issue warnings / errors even when you have installed the self-signed certificate into your MS-CAPI PKI Trust store (as a "Trusted Root Authority).

Here are the steps I used.

1. Instructions using KSE (KeyStore Explorer)
2. Create a JKS
3. Creating a self-signed certificate
4. Open KeyStore Explorer
5. File | New | JKS | OK
6. Create a Password for your JKS file
7. File | Save as... | enter your password
8. Enter file name | OK
9. Tools | Generate Key Pair
10. Select Algorithm and Key Size (i.e. 2048) | OK
11. Select validity period (i.e. 5 years)
12. Select Name (Book icon) | Enter in Name fields | OK
13. I.e. “CN=localhost…”
14. Add Extensions (Very Important), this determines what type of certificate it will be and how it can be used. This example will be for a standard server certificate with SSL.
15. Add in the Key Usage item
16. Add in the Digital Signature and Key Encipherment options checkbox
17. Add in the EKU (Extended Key Usage) options
18. Select both of these options:
19. TLS Web Client Authentication
20. TLS Web Server Authentication
21. Add in the SANs (Subject Alternative Name)
22. Add in all the needed DNS names and IP Addresses (if applicable) for which this server will be used. (repeat for all desired values) (e.g. 127.0.0.1 and localhost (or )
23. It will look something like this when it's done
24. When it's done you will see all the fields with the OIDs (Object Identifiers) listed | OK | OK
25. Add in the AKID (Authority Key Identifier)
26. Add Extensions "+"
27. Add Extension Type | Authority Key Identifier
28. Select the Authority Cert Issuer of the CN that you created above (.e.g "CN=localhost...") | OK
29. Add in a "Basic Constraints" (do NOT check "Subject is a CA")
30. When you're done you'll see these listed: hit "OK"
31. Note: the Basic Constraints and AKID (Authority Key Identifer) are needed for the Chrome Browser to validate the self-signed certificate as a trusted certificate.
32. Otherwise you'll see warning or error messages even after you have add this certificate, explicitly, to your MS-CAPI Trusted Root certificates.
33. Enter in the Alias of the keypair name you want to use
34. Enter in the private keypair password
35. *Note: this password MUST be the same as the JKS file keystore password or Java may fail silently when trying to use this certificate.
36. You should see a message indicating success. | OK
37. Then, save the File | Save.
38. Then, right click in KeyStore Explorer and select "export" the "public key". You can then save this as either a .p7 or .cer / .crt extension. Once you have that file you can then import your .cer file into trusted certs via 'Internet Options, Content tab....etc