Demystifying The Code

Self-Signed Certificates on IIS 7 – the Easy Way and the Most Effective Way

I have found myself creating self-signed certificates for developing and testing many times over the years.  It seems that they are spaced out just enough that I forget the process and have to walk up that nasty learning curve again.  Oddly enough, while in the end the process is not difficult, there are some easy wrong turns to take and the good information seems to be spread out over the internet.  For that reason (and so I can refer back to this post later when I need it) I am going to illustrate the typical way to create a self-signed cert on IIS 7, point out the major issue with that process and finally illustrate how to solve that issue once-and-for-all.   

View The Screencast

Please view the screencast of this content on channel9.

The Easy Way – Using The IIS 7 Console

In a post Tip/Trick: Enabling SSL on IIS 7.0 Using Self-Signed Certificates on 4/6/2007, ScottGu illustrated how to create a self-signed certificate using IIS7.  Feel free to skip this section if you have read this post.  For completeness sake, I am going to walk through the process:

  1. Create a Site:
    image

    You will notice that I am using host headers for this site.  Next I have added an entry in my hosts file:
    image

  2.  

    Create the self-issued certificate
    image

    Select your server and double-click on “Server Certificates” under IIS under “Features View”.  You will now see the following screen:
    image

    On the next screen, enter the full url to your test site (including the www, omitting the http://)
    image

    You can see that the certificate is now created. You can also see the issue by looking at the newly created cert in the list. The issued-to lists the common name (CN) or site name and this is set to the computers local network name.  There is no way to control this using this tool, so we are stuck with it (for now).
    image 

  3. Enable the Https Binding
    In IIS, navigate to your site and choose "Bindings"
    image

    On the next screen, choose "Add"
    image

    Choose Https and select your certificate from the dropdown list
    image

    As you can now see, https is enabled:
    image

  4. Test It
    To test this, simply add a test.htm page with any content in it.  Then navigate to the page using https://www.testssl.com/test.htm.  Here is where you will see the issue:
    image

    As you can see, IE alerts you to the fact that the certificate was issued for a different site than www.testssl.com. We know that it was issued for the computers local network name. This may only be a minor inconvenience if you are browsing to pages. In this case you can simply click  “Continue to this website (not recommended).  However, it turns out to be more than a simple inconvenience if you are exposing services over https.  They simply won’t work.  We need another solution.

Solving the Problem

There is a solution to the problem.  We need to go old-school.  The IIS6 Resource Kit contained a tool called SelfSSL.  We need that exe and will use it to create our self-signed cert from the command line.  (BTW, this information was sourced from a blog by Hans Olav.  You can find his post here.

  1. Delete the certificate from the previous section of this post.
  2. Make sure you have SelfSSL.exe.  If not, you can download the exe here.
  3. Open a command prompt (run as administrator)
  4. Navigate to the directory containing SelfSSL.exe
  5. In IIS, click on the Sites node to get the site id.  We will pass it as an argument to SelfSSL
    image 
  6. As per Olav’s blog, run SelfSSL /N:CN=<your web site address (no http://)> /V:<how many days the certificate should be valid> /S:<site ID from above> [/P:<port, if not 443>]
    For me it was: SelfSSL /N:CN=www.testssl.com /V:1000 /S:2
    image 
  7. Take another look:
    image

    We seem to be good so far.

  8. Test it again
    image

    It appears we still have a problem. Now IE is telling me that the certificate was not issued by a trusted authority – which is true. But in our test environment, we are trusted. So, let’s deal with this…

 

Adding the Certificate to Trusted Root Certificate Authorities

We could solve this problem by adding the certificate to the Trusted Root Certification Authorities in IE, but if we are exposing services, we will need to add it to the Local Computer.  Here is what we need to do

  1. Export the certificate
    image

    image

  2. Open Certificate Manager
    Start | Run | mmc.exe certmgr.msc

  3. Add the cert to "Local Computer" Trusted Root Certification Authorities

    Right-Click on "Certificates" under "Trusted Root Certification Authorities" | All Tasks | Import image

    Click Next on the splash screen and enter the path to the export you did in the last step (you need to change the file extension choice in the dialog to pfx)
    image

    Enter the password you created when exporting
    image

    On the next screen, click Browse so we can select the appropriate store (Local Machine)
    image

    Make sure you check the “Show Physical Stores” checkbox and choose “Local Computer” under “Trusted Root Certification Authorities”
    image
    On the next screen click finish. That is it!

 

Problem Solved

image

Comments

15 Responses to “Self-Signed Certificates on IIS 7 – the Easy Way and the Most Effective Way”
  1. Chris says:

    Really really nice and clear information !
    Many thanks.

  2. Andreas says:

    Do you know whether or not there is an integrated (easy) way to deply this certificate to client computers (perhaps through GPO) and are there any limitations for folks using i.e. Firefox or can you just go and import the .PFX file into Firefox as well?

  3. Prashant Parmar says:

    Very nice info…
    i tried and worked. !!!

    Thanks a lot !!!!

  4. Michael says:

    Rob,

    Thanks for the clear solution to what outwardly appears to be a simple problem. Once again, you rock.

  5. admin says:

    These are just test certs intended for use on a dev box. Sorry.

  6. Mattias says:

    There is an easier way to import the certificate on clients, and it doesn’t involve the pfx file.

    1. Start Internet Explorer as administrator
    2. Browse to the application and confirm the certificate warning, i.e. continue to the website
    3. Select page Properties, one way to do this is to right click somewhere in the title bar, make sure Command bar is checked, and then select Page > Properties
    4. Click the Certificates button
    5. In the General tab, click the Install Certificate button
    6. From now on, it’s the same instructions as when importing the pfx file

  7. hadis says:

    it was really usefull. thnx alot

  8. Rivera, Jose says:

    Hi RobBabgy.

    Thank you very much, this is a nice work.

    It was very usefull. I could to understand the concepts of SSL to apply on IIS 7. In fact! It also help me to apply Self-Signed Certificates with openssl on IIS 7 including a Self-Signed Certification Authorities.

    Regards.
    Jose

  9. Ilya says:

    Thanks! It works! Very useful article.

  10. Rahul says:

    I cannot imagine anyone doing a better job at explaining this “not so easy” process. Thanks Rob !!!

  11. Ahmed Fouad says:

    Very nice, thank you :)

  12. Carl says:

    Thanks! You saved me after a whole day of struggling.

  13. Thorsten says:

    Thank you very much!
    I had done almost everything right but only “almost”.
    Finally I could get our .NET application working with the help of your explanations. Well done!
    Regards
    Thorsten

  14. serdar says:

    You have helped me a lot, thank you so much

  15. Vaibhav says:

    Thanks a lot for good KB article. It helped me a lot to setup https site on my Dev box.

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

Demystifying The Code