New self-signed TLS certificate on IIS 7.5 and Windows 7 not recognized

TL;DR: I have Win7 and IIS 7.5 with only one website on my PC, which is a dev copy of a site I am developing for a friend. The site has an admin module that requires HTTPS. Pre-Covid, everything was working. After a 3-year gap in doing anything, Firefox and Chrome complained about the SSL protocol, so after some research, I enabled TLS 1.1 and 1.2 in the registry. That apparently solved things for my friend and his local copy (also Win7 and IIS 7.5), but I am still having (different) server certificate issues on my PC.

After a bunch more research and playing around trying to get a SAN-enabled self-signed certificate that I could upload to IIS, and then realizing that the old IIS-generated self-signed certificate was expired anyway, I now have the following situation:

1. I have removed the expired, IIS-generated self-signed certificate from IIS and from the Trusted Root CAs list on my PC.

2. IIS currently has two self-signed certificates uploaded to it:

   • A new IIS-generated, self-signed certificate that expires in 2024 and is listed in my Trusted Root CAs list

     • Version: V3
     • Issuer and Subject: myHostname
     • Signature algorithm: sha1RSA
     • Public Key: 2048 bits
     • Key Usage [green]: Key Encipherment, Data Encipherment (30)
     • Enhanced Key Usage [green]: Server Authentication (1.3.6.1.5.5.7.3.1)
     • Intended purposes
       — Ensures the identity of a remote computer
       — All issuance policies

   • An MMC-generated, self-signed certificate that expires in 2024 and is listed in my Trusted Root CAs list

     • Version: V3
     • Issuer and Subject: myHostname
     • Signature algorithm: sha1RSA
     • Public Key: RSA (2048 bits)
     • Subject Alternative Name [green]:
       • DNS Name=localhost
       • IP Address=10.0.0.myLocalNode
       • IP Address=127.0.0.1
     • Enhanced Key Usage [green]: Server Authentication (1.3.6.1.5.5.7.3.1)
     • Application Policies [green]
       • [1]Application Certificate Policy: Policy Identifier=Server Authentication
     • 1.3.6.1.4.1.311.10.11.11: [looks like the friendly name in unicode]
     • 1.3.6.1.4.1.311.10.11.13: [looks like the description in unicode]
     • Key Usage [YELLOW]: Key Encipherment, Data Encipherment (30)
     • Intended purposes
       — Ensures the identity of a remote computer
       — All issuance policies

3. Firefox and Chrome both still see the old, expired certificate when I browse to https://10.0.0.myLocalNode/adminModule, https://127.0.0.1/adminModule, or https://localhost/adminModule.

4. The error message for Firefox 115.5.0 is SSL_ERROR_BAD_CERT_DOMAIN, which is the same error it was getting before I created the new certificates. If I try to proceed anyway, I get “An error occurred during a connection to localhost. SSL received an unexpected Hello Request handshake message.” Error code: SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST. This is also the same as I was getting before.

5. The error message for Chrome 109.0.5414.120 is NET::ERR_CERT_AUTHORITY_INVALID, I don’t remember what error message I was getting before, but I think it was the same. If I try to proceed anyway, I get “127.0.0.1 [or 10.0.0.myLocalNode, or localhost] sent an invalid response.” ERR_SSL_PROTOCOL_ERROR.

6. I even tried using IE 11 (which I never use), and it gives me a certificate error page, too, although it doesn’t show me the certificate:
   There is a problem with this website’s security certificate.
   The security certificate presented by this website was issued for a different website’s address.
   The security certificate presented by this website was not issued by a trusted certificate authority.
   The security certificate presented by this website has expired or is not yet valid.

I’ve tried restarting IIS numerous times.
I’ve tried restarting my browsers.
I’ve tried F5, alt-F5, ctrl-F5, shift-F5 to try to get the browsers to refresh the page.
I’ve tried clearing my Chrome browser cache in its privacy settings.
I’ve tried restarting my computer at some point during the troubleshooting process, although at this point I don’t remember exactly when.
I’ve tried running Windows Network Diagnostics when it is offered, and it doesn’t find anything

Questions:

1. What am I missing?
2. What do I need to do to really get rid of the old, expired certificate?
3. Is there any way to get rid of the yellow warning on my MMC-generated certificate? I tried unchecking making the key usages critical, but that didn’t make any difference. I think they are marked as critical on the MMC-generated certificate that is there now.
4. Could the problem be simply the expired certificate, and have nothing to do with SAN at all?
5. Is it a problem having two certificates?