SEARCH

How-To Geek

IT: How To Create a Self Signed Security (SSL) Certificate and Deploy it to Client Machines

image

Developers and IT administrators have, no doubt, the need the deploy some website through HTTPS using an SSL certificate. While this process is pretty straightforward for a production site, for the purposes of development and testing you may find the need to use an SSL certificate here as well.

As an alternate to purchasing and renewing a yearly certificate, you can leverage your Windows Server’s ability to generate a self signed certificate which is convenient, easy and should meet these types of needs perfectly.

Creating a Self Signed Certificate on IIS

While there are several ways to accomplish the task of creating a self signed certificate, we will use the SelfSSL utility from Microsoft. Unfortunately, this doesn’t ship with IIS but it is freely available as part of the IIS 6.0 Resource Toolkit (link provided at the bottom of this article). Despite the name “IIS 6.0″ this utility works just fine in IIS 7.

All that is required is to extract the IIS6RT to get the selfssl.exe utility. From here you can copy it to your Windows directory or a network path/USB drive for future use on another machine (so you don’t have to download and extract the full IIS6RT).

Once you have the SelfSSL utility in place, run the following command (as the Administrator) replacing the values in <> as appropriate:

selfssl /N:CN=<your.domain.com> /V:<number of valid days>

The example below produces a self signed wildcard certificate against “mydomain.com” and sets it to be valid for 9,999 days. Additionally, by answering yes to the prompt, this certificate is automatically configured to bind to port 443 inside the Default Web Site of IIS.

image

While at this point the certificate is ready to use, it is stored only in the personal certificate store on the server. It is a best practice to also have this certificate set in the trusted root as well.

Go to Start > Run (or Windows Key + R) and enter “mmc”. You may receive a UAC prompt, accept it and an empty Management Console will open.

image

In the console, go to File > Add/Remove Snap-in.

image

Add Certificates from the left side.

image

Select Computer account.

image

Select Local computer.

image

Click OK to view the Local Certificate store.

image

Navigate to Personal > Certificates and locate the certificate you setup using the SelfSSL utility. Right-click the certificate and select Copy.

image

Navigate to Trusted Root Certification Authorities > Certificates. Right-click on the Certificates folder and select Paste.

image

An entry for the SSL certificate should appear in the list.

image

At this point, your server should have no problems working with the self signed certificate.

 

Exporting the Certificate

If you are going to be accessing a site which uses the self signed SSL certificate on any client machine (i.e. any computer which is not the server), in order to avoid a potential onslaught of certificate errors and warnings the self signed certificate should be installed on each of the client machines (which we will discuss in detail below). To do this, we first need to export the respective certificate so it can be installed on the clients.

Inside of the console with the Certificate Management loaded, navigate to Trusted Root Certification Authorities > Certificates. Locate the certificate, right-click and select All Tasks > Export.

image

When prompted to export the private key, select Yes. Click Next.

image

Leave the default selections for the file format and click Next.

image

Enter a password. This will be used to protect the certificate and users will not be able to import it locally without entering this password.

image

Enter a location to export the certificate file. It will be in PFX format.

image

Confirm your settings and click Finish.

image

The resulting PFX file is what will be installed to your client machines to tell them that your self signed certificate is from a trusted source.

 

Deploying to Client Machines

Once you have the created the certificate on the server side and have everything working, you may notice that when a client machine connects to the respective URL, a certificate warning is displayed. This happens because the certificate authority (your server) isn’t a trusted source for SSL certificates on the client.

image

You can click through the warnings and access the site, however you may get repeated notices in the form of a highlighted URL bar or repeating certificate warnings. To avoid this annoyance, you simply need to install the custom SSL security certificate on the client machine.

Depending on the browser you use, this process can vary. IE and Chrome both read from the Windows Certificate store, however Firefox has a custom method of handling security certificates.

 

Important Note: You should never install a security certificate from an unknown source. In practice, you should only install a certificate locally if you generated it. No legitimate website would require you to perform these steps.

 

Internet Explorer & Google Chrome – Installing the Certificate Locally

Note: Even though Firefox does not use the native Windows certificate store, this is still a recommended step.

Copy the certificate which was exported from the server (the PFX file) to the client machine or ensure it is available in a network path.

Open the local certificate store management on the client machine using the exact same steps as above. You will eventually end up on a screen like the one below.

image6

On the left side, expand Certificates > Trusted Root Certification Authorities. Right click on the Certificates folder and select All Tasks > Import.

image7

Select the certificate which was copied locally to your machine.

image8

Enter the security password assigned when the certificate was exported from the server.

image9

The store “Trusted Root Certification Authorities” should be prefilled as the destination. Click Next.

image10

Review the settings and click Finish.

image11

You should see a success message.

image12

Refresh your view of the Trusted Root Certification Authorities > Certificates folder and you should see the server’s self signed certificate listed in the store.

image

One this is done, you should be able to browse to an HTTPS site which uses these certificates and receive no warnings or prompts.

 

Firefox – Allowing Exceptions

Firefox handles this process a bit differently as it does not read certificate information from the Windows store. Rather than installing certificates (per-se), it allows you to define exceptions for SSL certificates on particular sites.

When you visit a site which has a certificate error, you will get a warning like the one below. The area in blue will name the respective URL you are trying to access. To create an exception to bypass this warning on the respective URL, click the Add Exception button.

image

In the Add Security Exception dialog, click the Confirm Security Exception to configure this exception locally.

image

Note that if a particular site redirects to subdomains from within itself, you may get multiple security warning prompts (with the URL being slightly different each time). Add exceptions for those URLs using the same steps as above.

 

Conclusion

It is worth repeating the notice above that you should never install a security certificate from an unknown source. In practice, you should only install a certificate locally if you generated it. No legitimate website would require you to perform these steps.

 

Links

Download IIS 6.0 Resource Toolkit (includes SelfSSL utility) from Microsoft

Jason Faulkner is a developer and IT professional who never has a hot cup of coffee far away. Interact with him on Google+

  • Published 03/13/12

Comments (7)

  1. nova1

    thanks. another great article

  2. someone

    WTF? Exporting and importing the private key of the certificate in clients? Do you understand the concept of certificates and how to use them securely?

    If you follow this guide exactly, all your clients will have the private key and can therefore intercept and decrypt all traffic from anyone to your site.

  3. Unified

    Very good point indeed. I was looking for something like this and thank God I didn’t implement this. What would be the best solution then? Please explain here.

  4. Cody

    This would be perfect for “local” or development eBusiness enviornments that I configure for my companies Customer Services department. There have been numerous times that a base issue in the eBusiness application was triggered by only a site with a URL of https://… and yet, our local replicas of the clients production was http://… This is perfect!

  5. Jason Faulkner

    @someone – I fully understand the ramifications of this. You might want to make note that I was very clear to point out this is really only applicable to development and test environments and _not_ for production use. The cert is password protected so an untrusted source could not install it to begin with.

    @Unified – The solution for production deployment is to purchase a certificate from a trusted authority. You should never use a self-signed cert outside of limited and controlled environments.

  6. myron

    Thanks for giving more information about the How To Create a Self Signed Security (SSL) Certificate and Deploy it to Client Machines.

  7. M9

    As @someone mentioned, the private key should not be exported and transferred to the client machines. This should work by just exporting the public key instead.

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!