Easy Windows Self Signed SSL Certificates

(Shamelessly based on this other blog!)

(Oh and if you have no idea what SSL is the read up on it here!)

This option does NOT apply if you want to use an SSL certificate which is automatically trusted by users outside your control (i.e. on a website used by clients / the general public). In this case you should buy one from the likes of GoDaddy which costs from around £20 / $30 upward.

However, if you want to secure web data transmission for your own personal / internal corporate use, then self signed certificates are the free, simple, instant & effective option. This guide discusses a couple of methods you can use to create your own self signed certificates for use with IIS 6 & / or IIS 7.

Creating your SSL self signed certificates

In this guide we’ll be using SelfSSL and SSLDiag which are both command line based tools from Microsoft.

(Please note you will need to install IIS 6 metabase compatibility on IIS 7 for these tools to work.)

SelfSSL

SelfSSL is included in the IIS 6 Resource Kit and there are several command line options for this tool (Which is installed into “C:\Program Files\IIS Resources\”), however in general you will only need to use three. Lets take a look;

SelfSSL.exe /N:CN=secure.example.com /V:365 /S:2

This command creates a certificate for use with a domain called secure.example.com as seen in the /N switch, with a validity period of 365 days as per the /V switch, and is finally implemented into IIS with the site ID of 2 as per the /S switch. Some things to keep in mind;

  • When using the /N switch be sure only to use the FQDN of the site you are wanting to create a certificate for. For instance if your webmail is located at secure.example.com/webmail you would still just use secure.example.com with the /N swtich.
  • Set the /V switch to the number of days you would like your certificate to be valid for before having to create a new certificate. Bigger is better in this case, 10 years is “3650” of course.
  • The /S switch specifies which site in IIS the certificate should be installed into. This is done by using the site ID value which you can obtain from your IIS manager. (Check this in “IIS Manager” -> “SERVER” -> “Web Sites”, & look for the number in the “Identifier” column).

Unfortunately there’s a catch with SelfSSL. There is a long standing bug in the program that only allows one website to have SSL at a time. There is a workaround though if you need multiple SSL sites / certificates;

1. Create certificate for first site.
2. Export the certificate to a pfx file (IIS->directory security->server certificate wizard).
3. Create certificate for second site. First site’s certificate should no longer work.
4. Repeat steps 2 & 3 for each subsequent site, otherwise continue to step 5.
5. Remove certificate from first site.
6. Import pfx from step 2 using same wizard.

This method is still quite clunky and in all honesty I would suggest not even looking twice at SelfSSL if you are using IIS 6 as SSLDiag is a much better tool.

SSLDiag

SSLDiag is included in Microsoft’s IIS Diagnostics Toolkit and is the recommended replacement for SelfSSL for creating self signed certificates as it does not have the bug mentioned above.

SSLDiag.exe /s:2 /selfssl /n:CN=secure.example.com /v:365

With the exception of the /selfssl switch which instructs SSLDiag to sign the certificate it is producing, all the other switches are identical to SelfSSL which are explained above.

There is also a small catch with SSLDiag. If you are using IIS 7, SSLDiag will not create the https bindings for your site like SelfSSL does. This is the only disadvantage of SSLDiag, which in reality isn’t sufficient to use a known buggy tool. All you have to do when using SSLDiag is manually create the bindings and link the correct certificate in your IIS 7 manager.

e myth about self signed certificates

I’ve read some blogs around the net suggesting that self signed certificates are the undoing of web based security. Why they do make some good arguments I feel they are clouding the waters somewhat with these claims as there are two very separate issues when it comes to SSL certificates. Trust and security. These are not interchangeable, no matter what anybody tells you.

The certificate itself is what performs the data encryption and provides the security. Self signed certificates can be every bit as secure as the certificates provided by 3rd parties. The trust portion comes before the certificate is used, and is what the 3rd party provider is responsible for. This basically entails the 3rd party confirming that you are who you claim to be, sort of like an independent umpire.

The criticism of self signed certificates (and rightly so) is when online businesses use them instead of getting a 3rd party certificate. Dealing with a business who secure their data using a self signed certificate is the equivalent of buying goods off somebody in an alley out of the back of a truck. There is no way the user can verify they are who they say they are, and without the backing of a reputable 3rd party certificate authority the risk of being ripped off greatly increases.

IIS and Certificate management

In IIS 6 you could generate certificate requests, however you still needed a certificate authority to process them. This was often done using the Certificate Authority service in 2003 configured as a stand alone root Certificate Authority so you didn’t have to install Active Directory. IIS 7 no longer allows you to install a Certificate Authority without installing Active Directory, however it has made a bit of a leap when it comes to certificate management as on top of being able to create certificate requests it also now facilitates the creation of self signed certificates with a few clicks of a button from right inside the GUI.

Unfortunately I feel this implementation is probably a little short of the mark as the only certificate value the wizard allows you to set is the friendly name. At a minimum it would have been good to be able to set the common name value as this is what matches the domain of your website, and a mismatch here will cause your web browser to give you warning messages about the certificate in use being for a different website which is probably a bigger issue than the certificate not coming from a trusted authority.

Creating your self signed certificates

In this guide we’ll be using SelfSSL and SSLDiag which are both command line based tools from Microsoft. Please note you will need to install IIS 6 metabase compatibility on IIS 7 for these tools to work.

SelfSSL

SelfSSL is included in the IIS 6 resource kit and there are several command line options for this tool, however in general you will only need to use three. Lets take a look;

SelfSSL.exe /N:CN=secure.example.com /V:365 /S:2

This command creates a certificate for use with a domain called secure.example.com as seen in the /N switch, with a validity period of 365 days as per the /V switch, and is finally implemented into IIS with the site ID of 2 as per the /S switch. Some things to keep in mind;

  • When using the /N switch be sure only to use the FQDN of the site you are wanting to create a certificate for. For instance if your webmail is located at secure.example.com/webmail you would still just use secure.example.com with the /N swtich.
  • Set the /V switch to the number of days you would like your certificate to be valid for before having to create a new certificate.
  • The /S switch specifies which site in IIS the certificate should be installed into. This is done by using the site ID value which you can obtain from your IIS manager

There is a catch with SelfSSL though. Unfortunately there is a long standing bug in the program that only allows one website to have SSL at a time. There is a workaround though which I’ve had success with;

  1. Create certificate for first site
  2. Export the certificate to a pfx file (IIS->directory security->server certificate wizard)
  3. Create certificate for second site. First site’s certificate should no longer work
  4. Repeat steps 2 & 3 for each subsequent site, otherwise continue to step 5
  5. Remove certificate from first site
  6. Import pfx from step 2 using same wizard

This method is still quite clunky and in all honesty I would suggest not even looking twice at SelfSSL if you are using IIS 6 as SSLDiag is a much better tool.

SSLDiag

SSLDiag is included in the IIS Diagnostics Toolkit and is the recommended replacement for SelfSSL for creating self signed certificates as it does not have the bug as mentioned above.

SSLDiag.exe /s:2 /selfssl /n:CN=secure.example.com /v:365

With the exception of the /selfssl switch which instructs SSLDiag to sign the certificate it is producing, all the other switches are identical to SelfSSL which are explained above.

There is also a small catch with SSLDiag. If you are using IIS 7, SSLDiag will not create the https bindings for your site like SelfSSL does. This is the only advantage SelfSSL has over SSLDiag as far as I can see, which in reality isn’t sufficient in my view to use a known buggy tool. All you have to do when using SSLDiag is manually create the bindings and link the correct certificate in your IIS 7 manager.

All done!

Hopefully you should now have an idea of how you can go about creating yourself a self signed certificate to use on your IIS server for your personal use. If you are looking to create a certificate for use in an environment where people unknown to you personally will be using it, then it is very highly recommended you get a certificate from a trusted certificate authority. If you have any comments or suggestions regarding this article, please post below. If you require further assistance creating your own self signed certificates please create a new thread in the forums.

One Comment

  1. Great post!

    Thanks for the detailed information about
    Easy Windows Self Signed SSL Certificates..

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.