Creating self signed certificates for IIS

If you are wanting to secure web data transmission for your own personal use, then self signed certificates are the way to go. Unlike the certificates offered to businesses by 3rd party providers such as Verisign that can cost up to $1500 a year, self signed certificates have zero financial cost using free tools. This making them good candidates for securing your personal webmail system, or the login page for your CMS. In this guide we'll discuss three methods you can use to create your own self signed certificates for use with IIS 6 & IIS 7.

The myth about self signed certificates

I've read some blogs around the net suggesting that self signed certificates are the undoing of web based security. Why they do make some good arguments I feel they are clouding the waters somewhat with these claims as there are two very separate issues when it comes to SSL certificates. Trust and security. These are not interchangeable, no matter what anybody tells you.

The certificate itself is what performs the data encryption and provides the security. Self signed certificates can be every bit as secure as the certificates provided by 3rd parties. The trust portion comes before the certificate is used, and is what the 3rd party provider is responsible for. This basically entails the 3rd party confirming that you are who you claim to be, sort of like an independent umpire.

The criticism of self signed certificates (and rightly so) is when online businesses use them instead of getting a 3rd party certificate. Dealing with a business who secure their data using a self signed certificate is the equivalent of buying goods off somebody in an alley out of the back of a truck. There is no way the user can verify they are who they say they are, and without the backing of a reputable 3rd party certificate authority the risk of being ripped off greatly increases.

IIS and Certificate management

In IIS 6 you could generate certificate requests, however you still needed a certificate authority to process them. This was often done using the Certificate Authority service in 2003 configured as a stand alone root Certificate Authority so you didn't have to install Active Directory. IIS 7 no longer allows you to install a Certificate Authority without installing Active Directory, however it has made a bit of a leap when it comes to certificate management as on top of being able to create certificate requests it also now facilitates the creation of self signed certificates with a few clicks of a button from right inside the GUI.

Unfortunately I feel this implementation is probably a little short of the mark as the only certificate value the wizard allows you to set is the friendly name. At a minimum it would have been good to be able to set the common name value as this is what matches the domain of your website, and a mismatch here will cause your web browser to give you warning messages about the certificate in use being for a different website which is probably a bigger issue than the certificate not coming from a trusted authority.

Creating your self signed certificates

In this guide we'll be using SelfSSL and SSLDiag which are both command line based tools from Microsoft. Please note you will need to install IIS 6 metabase compatibility on IIS 7 for these tools to work.

SelfSSL

SelfSSL is included in the IIS 6 resource kit and there are several command line options for this tool, however in general you will only need to use three. Lets take a look;

SelfSSL.exe /N:CN=secure.example.com /V:365 /S:2

This command creates a certificate for use with a domain called secure.example.com as seen in the /N switch, with a validity period of 365 days as per the /V switch, and is finally implemented into IIS with the site ID of 2 as per the /S switch. Some things to keep in mind;

  • When using the /N switch be sure only to use the FQDN of the site you are wanting to create a certificate for. For instance if your webmail is located at secure.example.com/webmail you would still just use secure.example.com with the /N swtich.
  • Set the /V switch to the number of days you would like your certificate to be valid for before having to create a new certificate.
  • The /S switch specifies which site in IIS the certificate should be installed into. This is done by using the site ID value which you can obtain from your IIS manager

There is a catch with SelfSSL though. Unfortunately there is a long standing bug in the program that only allows one website to have SSL at a time. There is a workaround though which I've had success with;

  1. Create certificate for first site
  2. Export the certificate to a pfx file (IIS->directory security->server certificate wizard)
  3. Create certificate for second site. First site's certificate should no longer work
  4. Repeat steps 2 & 3 for each subsequent site, otherwise continue to step 5
  5. Remove certificate from first site
  6. Import pfx from step 2 using same wizard

This method is still quite clunky and in all honesty I would suggest not even looking twice at SelfSSL if you are using IIS 6 as SSLDiag is a much better tool.

SSLDiag

SSLDiag is included in the IIS Diagnostics Toolkit and is the recommended replacement for SelfSSL for creating self signed certificates as it does not have the bug as mentioned above.

SSLDiag.exe /s:2 /selfssl /n:CN=secure.example.com /v:365

With the exception of the /selfssl switch which instructs SSLDiag to sign the certificate it is producing, all the other switches are identical to SelfSSL which are explained above.

There is also a small catch with SSLDiag. If you are using IIS 7, SSLDiag will not create the https bindings for your site like SelfSSL does. This is the only advantage SelfSSL has over SSLDiag as far as I can see, which in reality isn't sufficient in my view to use a known buggy tool. All you have to do when using SSLDiag is manually create the bindings and link the correct certificate in your IIS 7 manager.

All done!

Hopefully you should now have an idea of how you can go about creating yourself a self signed certificate to use on your IIS server for your personal use. If you are looking to create a certificate for use in an environment where people unknown to you personally will be using it, then it is very highly recommended you get a certificate from a trusted certificate authority. If you have any comments or suggestions regarding this article, please post below. If you require further assistance creating your own self signed certificates please create a new thread in the forums.

Average rating
(7 votes)

Comments

Anonymous's picture

Thank you, but ...

Thank you for all your wonderfull tutorials. :)

This one worked nicely.

I made the bindings for https but how can I prevent a http: binding from my shop folder?

Are there any more articles on this? :)

regards
geiri

Brashquido's picture

Configure IIS to require secure connection

Once you have your certificate in place you'll be able to configure IIS to require a secure connection. This will result in anyone trying to connect via http rather than https to get a 403.3 error in their browser. Along with doing this you may also want to look at this article which describes three methods to redirect http to https which will enable you to more or less transparently have users redirected to your secure connection.

----------------
Dominic Ryan
5 x Microsoft IIS MVP, MCSE, MCSA
IIS Aid owner/webmaster

Anonymous's picture

SSL for mails ....

Hi,

I need SSL only for setting my mail server (SmarterMail). When I tried to set SmarterMail to work via SSL it asks for .pfx file. Can I use this method to make SSL cert and use it for setup mail server.

Regards.

Brashquido's picture

should work fine

I've not tried it, but there should be no reason why not.

----------------
Dominic Ryan
6 x Microsoft IIS MVP, MCSE, MCSA
IIS Aid owner/webmaster

Anonymous's picture

Interseting Problem

I have this situation where I added a SSL Certificate for my friends website, and now every https request to my server resolves to his site. There are about 100 domains hosted on the box, and self signing each domain is not really what I wanted to do.

How can I make sure that domains which don't have HTTPS don't show anything?