Internet Sellout

Demand Unearned Rewards

Self-Signed Cerificates for IIS

Using expired certificates or any certificate that brings up a nag that the user has to ignore can be inconvenient, but worse, can get them in the habit of trusting things that should not be trusted. Doing a self-signed certificate potentially solves only the problem of the nag, it is still not as secure as a properly issued certificate from a certificate authority. Using IIS’s self signed certificate feature only generates certs for the current server name and there is no control over the details like expiration. Instead we can use a tool that comes with visual studio: ‘makecert’.

Cool kids will probably be quite happy using OpenSSL, however you may have a hangover at this very moment and are not quite that ambitious.

This string will make a self certified SSL Cert for myserver.mydomain.com and puts it in the cert store for local machine/personal (my = personal) which is where iis will look for it. You will probably want to generate the cert on a dev box and then using the MMC snap in export the key with the private key, then copy the resulting pfx and install it on the box which you want to use it.

makecert -r -pe -n "CN=myserver.mydomain.com" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -len 2048

notice the crazy long expiration date. Also the -eku flag can take comma delimited list so you can assign more than one purpose. -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.3 will give you server and code signing in one cert.

makecert is a utility that comes with Visual Studio and can be run from the Visual Studio command prompt.

To make a browser trust this certificate, the user has to add this cert to the personal and the trusted root certificate store. This is not a best practice for any publicly reachable site. The best uses for this are intranet and development situations.

For a computer to trust this certificate, in your Internet Explorer:

Click the certificate error icon.

After clicking Certificate Error, click view certificates (not shown here). Click Install Certificate. Do this twice, once automaticly to put it in the default (Personal store) and one to put it in the Trusted Certificate Authorities store by selecting the store.

Comments are closed