Creating self signed certificates for IIS
If you are wanting to secure web data transmission for your own personal use, then self signed certificates are the way to go. Unlike the certificates offered to businesses by 3rd party providers such as Verisign that can cost up to $1500 a year, self signed certificates have zero financial cost using free tools. This making them good candidates for securing your personal webmail system, or the login page for your CMS. In this guide we'll discuss three methods you can use to create your own self signed certificates for use with IIS 6 & IIS 7.
The myth about self signed certificates
I've read some blogs around the net suggesting that self signed certificates are the undoing of web based security. Why they do make some good arguments I feel they are clouding the waters somewhat with these claims as there are two very separate issues when it comes to SSL certificates. Trust and security. These are not interchangeable, no matter what anybody tells you.
The certificate itself is what performs the data encryption and provides the security. Self signed certificates can be every bit as secure as the certificates provided by 3rd parties. The trust portion comes before the certificate is used, and is what the 3rd party provider is responsible for. This basically entails the 3rd party confirming that you are who you claim to be, sort of like an independent umpire.
The criticism of self signed certificates (and rightly so) is when online businesses use them instead of getting a 3rd party certificate. Dealing with a business who secure their data using a self signed certificate is the equivalent of buying goods off somebody in an alley out of the back of a truck. There is no way the user can verify they are who they say they are, and without the backing of a reputable 3rd party certificate authority the risk of being ripped off greatly increases.
IIS and Certificate management
In IIS 6 you could generate certificate requests, however you still needed a certificate authority to process them. This was often done using the Certificate Authority service in 2003 configured as a stand alone root Certificate Authority so you didn't have to install Active Directory. IIS 7 no longer allows you to install a Certificate Authority without installing Active Directory, however it has made a bit of a leap when it comes to certificate management as on top of being able to create certificate requests it also now facilitates the creation of self signed certificates with a few clicks of a button from right inside the GUI.
Unfortunately I feel this implementation is probably a little short of the mark as the only certificate value the wizard allows you to set is the friendly name. At a minimum it would have been good to be able to set the common name value as this is what matches the domain of your website, and a mismatch here will cause your web browser to give you warning messages about the certificate in use being for a different website which is probably a bigger issue than the certificate not coming from a trusted authority.
Creating your self signed certificates
In this guide we'll be using SelfSSL and SSLDiag which are both command line based tools from Microsoft. Please note you will need to install IIS 6 metabase compatibility on IIS 7 for these tools to work.
SelfSSL is included in the IIS 6 resource kit and there are several command line options for this tool, however in general you will only need to use three. Lets take a look;
SelfSSL.exe /N:CN=secure.example.com /V:365 /S:2
This command creates a certificate for use with a domain called secure.example.com as seen in the
/N switch, with a validity period of 365 days as per the
/V switch, and is finally implemented into IIS with the site ID of 2 as per the
/S switch. Some things to keep in mind;
- When using the
/Nswitch be sure only to use the FQDN of the site you are wanting to create a certificate for. For instance if your webmail is located at secure.example.com/webmail you would still just use secure.example.com with the
- Set the
/Vswitch to the number of days you would like your certificate to be valid for before having to create a new certificate.
- The /S switch specifies which site in IIS the certificate should be installed into. This is done by using the site ID value which you can obtain from your IIS manager
There is a catch with SelfSSL though. Unfortunately there is a long standing bug in the program that only allows one website to have SSL at a time. There is a workaround though which I've had success with;
- Create certificate for first site
- Export the certificate to a pfx file (IIS->directory security->server certificate wizard)
- Create certificate for second site. First site's certificate should no longer work
- Repeat steps 2 & 3 for each subsequent site, otherwise continue to step 5
- Remove certificate from first site
- Import pfx from step 2 using same wizard
This method is still quite clunky and in all honesty I would suggest not even looking twice at SelfSSL if you are using IIS 6 as SSLDiag is a much better tool.
SSLDiag is included in the IIS Diagnostics Toolkit and is the recommended replacement for SelfSSL for creating self signed certificates as it does not have the bug as mentioned above.
SSLDiag.exe /s:2 /selfssl /n:CN=secure.example.com /v:365
With the exception of the
/selfssl switch which instructs SSLDiag to sign the certificate it is producing, all the other switches are identical to SelfSSL which are explained above.
There is also a small catch with SSLDiag. If you are using IIS 7, SSLDiag will not create the https bindings for your site like SelfSSL does. This is the only advantage SelfSSL has over SSLDiag as far as I can see, which in reality isn't sufficient in my view to use a known buggy tool. All you have to do when using SSLDiag is manually create the bindings and link the correct certificate in your IIS 7 manager.
Hopefully you should now have an idea of how you can go about creating yourself a self signed certificate to use on your IIS server for your personal use. If you are looking to create a certificate for use in an environment where people unknown to you personally will be using it, then it is very highly recommended you get a certificate from a trusted certificate authority. If you have any comments or suggestions regarding this article, please post below. If you require further assistance creating your own self signed certificates please create a new thread in the forums.