Self-Signed Certificates on IIS 7 – the Easy Way and the Most Effective Way

I have found myself creating self-signed certificates for developing and testing many times over the years.  It seems that they are spaced out just enough that I forget the process and have to walk up that nasty learning curve again.  Oddly enough, while in the end the process is not difficult, there are some easy wrong turns to take and the good information seems to be spread out over the internet.  For that reason (and so I can refer back to this post later when I need it) I am going to illustrate the typical way to create a self-signed cert on IIS 7, point out the major issue with that process and finally illustrate how to solve that issue once-and-for-all.   

View The Screencast

Please view the screencast of this content on channel9.

The Easy Way – Using The IIS 7 Console

In a post Tip/Trick: Enabling SSL on IIS 7.0 Using Self-Signed Certificates on 4/6/2007, ScottGu illustrated how to create a self-signed certificate using IIS7.  Feel free to skip this section if you have read this post.  For completeness sake, I am going to walk through the process:

1. Create a Site:
   

   You will notice that I am using host headers for this site.  Next I have added an entry in my hosts file:
   

2.  

   Create the self-issued certificate
   

   Select your server and double-click on “Server Certificates” under IIS under “Features View”.  You will now see the following screen:
   

   On the next screen, enter the full url to your test site (including the www, omitting the http://)
   

   You can see that the certificate is now created. You can also see the issue by looking at the newly created cert in the list. The issued-to lists the common name (CN) or site name and this is set to the computers local network name.  There is no way to control this using this tool, so we are stuck with it (for now).
    

3. Enable the Https Binding
   In IIS, navigate to your site and choose "Bindings"
   

   On the next screen, choose "Add"
   

   Choose Https and select your certificate from the dropdown list
   

   As you can now see, https is enabled:
   

4. Test It
   To test this, simply add a test.htm page with any content in it.  Then navigate to the page using https://www.testssl.com/test.htm.  Here is where you will see the issue:
   

   As you can see, IE alerts you to the fact that the certificate was issued for a different site than www.testssl.com. We know that it was issued for the computers local network name. This may only be a minor inconvenience if you are browsing to pages. In this case you can simply click  “Continue to this website (not recommended).  However, it turns out to be more than a simple inconvenience if you are exposing services over https.  They simply won’t work.  We need another solution.

Solving the Problem

There is a solution to the problem.  We need to go old-school.  The IIS6 Resource Kit contained a tool called SelfSSL.  We need that exe and will use it to create our self-signed cert from the command line.  (BTW, this information was sourced from a blog by Hans Olav.  You can find his post here.

1. Delete the certificate from the previous section of this post.
2. Make sure you have SelfSSL.exe.  If not, you can download the exe here.
3. Open a command prompt (run as administrator)
4. Navigate to the directory containing SelfSSL.exe
5. In IIS, click on the Sites node to get the site id.  We will pass it as an argument to SelfSSL
    
6. As per Olav’s blog, run SelfSSL /N:CN=<your web site address (no http://)> /V:<how many days the certificate should be valid> /S:<site ID from above> [/P:<port, if not 443>]
   For me it was: SelfSSL /N:CN=www.testssl.com /V:1000 /S:2
    

7. Take another look:
   

   We seem to be good so far.

8. Test it again
   

   It appears we still have a problem. Now IE is telling me that the certificate was not issued by a trusted authority – which is true. But in our test environment, we are trusted. So, let’s deal with this…

 

Adding the Certificate to Trusted Root Certificate Authorities

We could solve this problem by adding the certificate to the Trusted Root Certification Authorities in IE, but if we are exposing services, we will need to add it to the Local Computer.  Here is what we need to do

1. Export the certificate
   

   

2. Open Certificate Manager
   Start | Run | mmc.exe certmgr.msc

3. Add the cert to "Local Computer" Trusted Root Certification Authorities

   Right-Click on "Certificates" under "Trusted Root Certification Authorities" | All Tasks | Import

   Click Next on the splash screen and enter the path to the export you did in the last step (you need to change the file extension choice in the dialog to pfx)
   

   Enter the password you created when exporting
   

   On the next screen, click Browse so we can select the appropriate store (Local Machine)
   

   Make sure you check the “Show Physical Stores” checkbox and choose “Local Computer” under “Trusted Root Certification Authorities”
   
   On the next screen click finish. That is it!

 

Problem Solved