Self-Signed Certificates on IIS 7 – the Easy Way and the Most Effective Way
I have found myself creating self-signed certificates for developing and testing many times over the years. It seems that they are spaced out just enough that I forget the process and have to walk up that nasty learning curve again. Oddly enough, while in the end the process is not difficult, there are some easy wrong turns to take and the good information seems to be spread out over the internet. For that reason (and so I can refer back to this post later when I need it) I am going to illustrate the typical way to create a self-signed cert on IIS 7, point out the major issue with that process and finally illustrate how to solve that issue once-and-for-all.
View The Screencast
The Easy Way – Using The IIS 7 Console
In a post Tip/Trick: Enabling SSL on IIS 7.0 Using Self-Signed Certificates on 4/6/2007, ScottGu illustrated how to create a self-signed certificate using IIS7. Feel free to skip this section if you have read this post. For completeness sake, I am going to walk through the process:
- Create a Site:
You can see that the certificate is now created. You can also see the issue by looking at the newly created cert in the list. The issued-to lists the common name (CN) or site name and this is set to the computers local network name. There is no way to control this using this tool, so we are stuck with it (for now).
As you can see, IE alerts you to the fact that the certificate was issued for a different site than www.testssl.com. We know that it was issued for the computers local network name. This may only be a minor inconvenience if you are browsing to pages. In this case you can simply click “Continue to this website (not recommended). However, it turns out to be more than a simple inconvenience if you are exposing services over https. They simply won’t work. We need another solution.
Solving the Problem
There is a solution to the problem. We need to go old-school. The IIS6 Resource Kit contained a tool called SelfSSL. We need that exe and will use it to create our self-signed cert from the command line. (BTW, this information was sourced from a blog by Hans Olav. You can find his post here.
- Delete the certificate from the previous section of this post.
- Make sure you have SelfSSL.exe. If not, you can download the exe here.
- Open a command prompt (run as administrator)
- Navigate to the directory containing SelfSSL.exe
- In IIS, click on the Sites node to get the site id. We will pass it as an argument to SelfSSL
- As per Olav’s blog, run SelfSSL /N:CN=<your web site address (no http://)> /V:<how many days the certificate should be valid> /S:<site ID from above> [/P:<port, if not 443>]
For me it was: SelfSSL /N:CN=www.testssl.com /V:1000 /S:2
We seem to be good so far.
It appears we still have a problem. Now IE is telling me that the certificate was not issued by a trusted authority – which is true. But in our test environment, we are trusted. So, let’s deal with this…
Adding the Certificate to Trusted Root Certificate Authorities
We could solve this problem by adding the certificate to the Trusted Root Certification Authorities in IE, but if we are exposing services, we will need to add it to the Local Computer. Here is what we need to do
Open Certificate Manager
Start | Run | mmc.exe certmgr.msc
Add the cert to "Local Computer" Trusted Root Certification Authorities