Geeks With Blogs
Jim Becher blog

Self signing SSL for IIS

Many people have emailed me about how to setup and ssl on their development environment or internal sites without paying for a certificate.  Here are the steps to secure your local IIS server (windows 2003) with a self signing ssl.

You will need to download the IIS 6.0 Resource kit from Microsoft - http://www.microsoft.com/downloads/thankyou.aspx?familyId=56FC92EE-A71A-4C73-B628-ADE629C89499&displayLang=en

Install just the selfssl (or everything if you want to use the resource kit)

Download the resource kit.  Execute the iis60rkt.exe and select next on welcome page. You will have to agree to the license.  Select Next, and select the Custom install option to just install the SelfSSL 1.0 program.

Select your directory, for this example I will just use the default. C:\program files\iis resources\.  For this example I am only selecting the SelfSSL option

Select next to install and finish when it is done.

Install should be complete.

Create Certificate

We will now create a certificate.  Open a command (DOS) window. Start | run | cmd.  Change directory to the location where you installed the resource kit.  I chose the default location c:\program files\iis resources.  To do this type “cd c:\program files\iis resources\selfssl” in the Command window.

Once in the resource kit directory you can use the selfssl.exe program to create a certificate.  If you run the program “selfssl.exe /? “ You will see all the options available.

We will be using a few options to modify our certificate to allow for a FQDN (Fully Qualified Domain name) [/N:CN]and the correct Site ID [/S]

Before we can run the command and install the certificate we need to find the site id for the particular IIS site that we want to have the ssl bound to.   If you are running only one site on the server and it is default then you can use the /S:1 (default site) option.   I typically turn off the default site on my servers for security reasons and have more than one site running.  To find an IIS site id there are a few options.  I prefer the simple route of viewing the log file for that site and showing the properties there.

In this example I will be creating an SSL for the IIS web site (somedomain.com).  You can see from the image of my iis manager screen the site.

To find the site ID for this particular site (somedomain.com) we can right click and select properties.  From the site properties window under the “Web Site” tab select the logging properties button.

This will open the logging properties window.  On this window the log file name will include the Site ID

In this example the site ID we are going to be working with is 1341291934.  The log file name included the site ID after the starting W3SVC.

We now go back to our command window and will run the selfssl executable with the following commands.

Selfssl.exe /T /N:CN=somedomain.com /S: 1341291934

This command will create a certificate with the following options:
/T = Adds the local certificate to the trusted certificates list
/N:CN = the fully qualified domain name used for the site (somedomain.com) this would be your site name
www.yourintranet.com
/S:1341291935 = Site ID (you got this from log file name on iis) 1 = the default site

You have now created an SSL certificate for the siteID you have chosen and can view the site properties and see your certificate will listen on Port 443 (SSL)

This is a simple and quick way to use SSL and encryption on your local sites and intranets.  I would not recommend using this method to secure a production server or a server on the Internet.  Please use a purchased signed SSL certificate.

Posted on Sunday, February 11, 2007 12:05 AM | Back to top


Comments on this post: Self Signing SSL for IIS

# re: Self Signing SSL for IIS
Requesting Gravatar...
Great article. I always find it hard to remember all of those steps.


If you are interested, a while back I wrote an article about using web services with self signed certificates.

Just checkout: http://geekswithblogs.net/jwhitehorn/archive/2006/09/20/91657.aspx
Left by Jason Whitehorn on Feb 11, 2007 10:49 AM

# re: Self Signing SSL for IIS
Requesting Gravatar...
Jason,
great link. I always forget that using web services can be just as simple as a regular IIS site. I will have to add that link onto my post.
jim
Left by Jim Becher on Feb 12, 2007 7:02 AM

# re: Self Signing SSL for IIS
Requesting Gravatar...
I too discovered this and I can now access my home SharePoint site securely.

Unfortunatly, selfssl only allows you to use the cert for one IIS web site. Bummer, since I have two other sites that I'd prefer to run as SSL.

Any thoughts on overcoming this limitation?

-Scott
Left by Scott on Aug 30, 2007 9:59 PM

# re: Self Signing SSL for IIS
Requesting Gravatar...
Scott
I seem to remember a post a while back when doing some Sharepoint work
http://mcmsfaq.com/cs2/blogs/adrian_spear/archive/2007/03/07/205.aspx

One discovered technique:
Use self ssl to install cert on the first site (site id1)
Export it to a .pfx file (default export option)
Install the cert in the second site (import)
Remove the cert from the first site (site id1)
Re-Import the cert to the first site using the .pfx file

It may be worth your time to look a free cert vendor
cacert.org is a great one I use that will generate a cert for the URL.

Thanks
Left by Jim BEcher on Sep 04, 2007 9:18 AM

# re: Self Signing SSL for IIS
Requesting Gravatar...
I did this on our development server and it seems to work fine when accessing pages on the development server.
How ever if I try to connect to the website form my machine accross the network I get a "cannot access the page" error with no details to it.
Is thsi correct? Will self signed certificates only work local to the machine?
If not any ideas why it might not?
Left by Bob Ross on Nov 28, 2007 5:03 AM

# re: Self Signing SSL for IIS
Requesting Gravatar...
Dear sir,


This is a grate link.I fallowed all your steps and i was able to apply self sign-in on our producation server.
Sir,i have 2 queries hope you will find time to answer me.

que 1:

you told you will not recommend using this method to secure a production server or a server on the Internet. and also requested to use a purchased signed SSL certificate ??

que 2:

Is this self sign-in resource kit is trial version?? This self sign-in certificate is valid only for a week time. please tell me how to extend the validity of this self sing-in certificate ??

i will be so glad if you answer me as early as possible.

Thanks & Regards

Neelesh M Shetkar
M:+91-9971405656






Left by Neelesh M Shetkar on Jan 11, 2008 12:18 AM

# re: Self Signing SSL for IIS
Requesting Gravatar...
Self signing Certificates will work on remote machines , your browser will just not trust the signer. I have seen where the machine if not setup properly will not resolve the name or provide ssl (port 443) to remote machines. This would be caused if the IIS server did not allow for host headers and the server name was used.
Left by Jim Becher on Feb 11, 2008 11:11 PM

# re: Self Signing SSL for IIS
Requesting Gravatar...
I need some help.

I installed the certificate successfully to my extranet.domain.com site

When I type in extranet.domain.com it takes me to the unsecure extranet.domain.com instead of https://extranet.domain.com

I even typed in https://extranet.domain.com taken to unsecured site

I have both the alternate mappings and the DNS server configured with the correct enteries.

What could be the problem?

Left by Joseph Bulter on Sep 16, 2008 12:42 PM

# re: Self Signing SSL for IIS
Requesting Gravatar...
Sir, a good article.

I successfully installed a certificate with the default settings. After the 7 days, I realized that the ssl was no longer working... so I reinstalled with a greater number of days.

I have been unable to get this to work. I have checked everything that i know to check. The logs show nothing (just like the site isn't running). The non-ssl works perfectly. What could possibly be the problem?

Windows XP Pro
Left by Don on Oct 31, 2008 8:54 AM

# re: Self Signing SSL for IIS
Requesting Gravatar...
A very useful and handy piece of information. Thank you!!
Left by Avinash on Jan 06, 2010 9:51 AM

# re: Self Signing SSL for IIS
Requesting Gravatar...
Selfssl.exe /T /N:CN=somedomain.com /S: 1341291934 /V:9999
to avoid expire in 7 days
Left by .NetGuy on Apr 19, 2010 10:22 AM

# re: Self Signing SSL for IIS
Requesting Gravatar...
As already mentioned above, use the /V option to set the number of days...ie /V:365 would be 1 year (365 days) until the certificate expires.

Selfssl defaults to one week (7 days) without the /V option being set. Your certificate will expire in one week by default.
Left by Jon on Aug 31, 2010 1:36 AM

Your comment:
 (will show your gravatar)


Copyright © Jim Becher - Untangle the Web | Powered by: GeeksWithBlogs.net