Self-Signed IIS SSL Certificates using OpenSSL

This is being re-posted as a blog entry so that folks can leave comments…I had a great note by email today with additional information that folks may find useful, so I figured this would make it easier to add information.

UPDATE 3/5/2004: Re-posted (yet again) in the new blogging system to allow for live comments.  The old URL still works (for now), but will very soon be modified as a redirect page, and the old comments will be split out to a separate page.

UPDATE: 7/3/2009: New URL due to a move to WordPress as my blogging platform, but a redirect is in place for older links..



Self-Signed IIS SSL Certificates using OpenSSL

This tutorial assumes that you have a Linux box with OpenSSL installed,and that you want to create a self-signed certificate for IIS5.0

  1. Set up your CA (you only have to do this once)
    ON THE LINUX BOX…

    • Create a private key

      openssl genrsa -des3 -out CA.key 1024

      (You’ll need to supply a passphrase. DON’T FORGET THIS!!)

    • Set this to read-only for root for security

      chmod 400 CA.key

    • Create the CA certificate

      openssl req -new -key CA.key -x509 -days 1095 -out CA.crt

      (Provide appropriate responses to the prompts…for Common Name, you might want to use something like “OurCompany CA”)

    • Set the certificate to read-only for root for security

      chmod 400 CA.crt

  2. Obtain a CSR
    ON THE IIS BOX…

    • Open the Internet Manager
    • Select the site for which you want to create a key
    • Right-click and choose Properties
    • Select the “Directory Security” tab
    • Click the “Server Certificate” button
    • Follow the prompts to create a CSR
    • Save
      your CSR, then transfer it to the Linux box for further processing.
      (For the following steps, we’ll refer to your CSR as “new.csr”)
  3. Sign the CSR
    ON THE LINUX BOX…

    • Sign the CSR (all of this on one line)

      openssl x509 -req -days 365 -in new.csr -CA CA.crt
      -CAkey CA.key -CAcreateserial -out new.crt

    • Transfer the new.crt file back to the IIS box
  4. Install self-signed certificate
    ON THE IIS BOX…

    • Open the Internet Manager
    • Select the site to install the key
    • Right-click and choose properties
    • Select the “Directory Security” tab
    • Click the “Server Certificate” button
    • Specify that you want to complete the pending request
    • Select the .crt file that you just transferred

That’s it!

Now…here’s the updated info, with special thanks to David MacKenzie:

David’s comments: I found your instructions for creating a self-signed cert for IIS using OpenSSL invaluable–thanks! (I found them by google.) There’s one subtlety I’d like to suggest you add to them. If the IIS server is Outlook Web Access for an Exchange server, then installing the SSL cert breaks Public Folders administration from the Exchange System Manager MMC console. ESM complains that the cert isn’t connected to a recognized authority, and if you fix that, it complains that the system name is wrong. After more googling, I found an answer that worked for me, shown below as additional steps for your check list. I’m using Windows 2000 SP3 and Exchange 2000 SP3.

  1. If the IIS server is running Outlook Web Access for Exchange, make ourselves recognized as a CA
    ON THE IIS BOX…

    • Open Internet Explorer
    • Tools>Internet Options
    • Content tab
    • Certificates
    • Import
    • Next
    • Browse
    • Files of type: X.509 Certificate (*.cer, *.crt)
    • Select CA.crt
    • Open
    • Next
    • Next
    • Finish
  2. If the IIS server is running Outlook Web Access for Exchange, fix Public Folders management for the Exchange Server Manager
    ON THE IIS BOX…

    • Open Internet Services Manager
    • Right-click on exchange>Default Web Site>Exadmin
    • Properties
    • Directory Security tab
    • Secure communications Edit
    • Uncheck Require secure channel (SSL)
    • OK
    • OK

Older Comments (from previous blogging tool):

Good explanation – that made it very easy to set up! Thanks!

Posted by: Mike Bridge at June 20, 2003 01:56 PM

Very very helpful. Straight-forward, no fluff. Worked my first run through. Thank you so much.

Posted by: John Kazinski at June 23, 2003 09:50 PM

Very helpful. I was struggling with this for a while until I came across your article. Then, it was a snap! Thanks a lot. (Also, thanks Google.)

Posted by: Milind Khandekar at July 3, 2003 12:57 PM

I heart you. I’m saving a local copy of this page.

Posted by: tp at July 8, 2003 06:10 PM

In
order to get IE to trust your certificate (so that it does not prompt
you every single time) you’ll have to install (in IE) the CA.crt
certificate first (as a Trusted Root Authority ?).

Posted by: Mark Kitt at July 12, 2003 03:55 PM

merci pour ton aide
thank you for your help

Posted by: xavier at July 15, 2003 10:48 AM

Thanks! Worked like a charm.
I had to restart IIS for everything to take effect.

Posted by: Matt at July 30, 2003 03:38 AM

I
have been able to use an OpenSSL 0.9.7b win32 build to make the
certificates right here on my Windows 2000 machine. I downloaded it
from http://hunter.campbus.com (Openssl-0.9.7b-Win32.zip) and I found a generic OpenSSL config file (openssl.cnf) on this page http://tud.at/programm/apache-ssl-win32-howto.php3 (It’s in section 2 “Getting OpenSSL and mod_ssl”)

Extract
the contents of that zip file somewhere (like c:\openssl) and put the
openssl.cnf in there too. Also, be sure it’s really named openssl.cnf
or it won’t be found.

I love Google.

Posted by: toolfan at August 8, 2003 08:58 AM

Thanx..

It’s free and it works.!!

Posted by: Gert at August 13, 2003 09:17 AM

This info is indeed great. I got it working smoothly.
Thanks a lot !!!!
Only
thing I need to add is, you do not need Linux box neccessarily since
you can install OpenSSL on win2k box to. So you can perform step 1 on
Win2k box too !

Posted by: Prakash Shekade at August 23, 2003 08:21 AM

You can also install Cygwin http://www.cygwin.com/ and use its version of openssl in place of all the ‘on the Linux box’ steps.

Posted by: JA at September 5, 2003 12:07 PM

Easy How-To. Thanks for that one. Nice.

Posted by: Tobias Kuhrmann at September 12, 2003 12:17 PM

Dude, you are a life saver. This worked out great. Thanks man

Posted by: BN at September 28, 2003 10:01 PM

It looks like you can’t user host headers with SSL according to Q187504 from Microsoft’s Knowledge Base.

Workaround:
make the site you need with SSL default web site, and it’ll work, but
it won’t work for any others you have on the same server.

This is totally doable with apache + mod_ssl + Virtual Hosts.

Posted by: Jaime Diaz at September 29, 2003 05:26 PM

You’re
right that you can’t use host headers with SSL. The reason is that the
secure socket is established BEFORE the host headers are sent,
therefore the server doesn’t know when the connection is established
which virtual server you want to connect to.

SSL sites MUST be associated exclusively with an IP address.

Posted by: WebWiz at September 29, 2003 06:24 PM

From ssl.conf:
##
## SSL Global Context
##
## All SSL configuration in this context applies ##both to the main server and all SSL-enabled ##virtual hosts.
##

This is what made me thought it is possible doing it on apache, however, I’ve never tried this.
The Microsoft’s note I mentioned before states that by HTTP 1.1 protocol definition this is impossible.

On the FAQ of mod_ssl this is commented too, so I think I rushed a little when I said it was possible under apache.

So, resuming, the only to do it is using IP based virtual hosts.

Posted by: Jaime Diaz at September 30, 2003 09:08 AM

On my Win box, I did the following to get the 2nd step of the 1) above to work

openssl req -new -key CA.key -x509 -config openssl.cnf -days 1095 -out CA.crt

Posted by: brad cambpell at October 2, 2003 12:43 PM

Many thanks for this excellent article! Worked like a charm.

Posted by: Shubhang Varma at October 15, 2003 09:39 PM

wow,
You are Da Man!
Thanks for your efforts.

Posted by: Kevin Davis at October 17, 2003 02:37 PM

You are a life saver! Thanks for the excellent info, this really saved the day for me. Cheers!

Posted by: UberDev at October 24, 2003 11:31 PM

Having a few problems

Issued to and issued by names appear to be the same even though CA’s name was different

Also certification path is showing problems due to the above

Any ideas?

Robbie

Posted by: Robbie at October 30, 2003 06:02 AM

I
also had problems with the certification path (“does not chain up to a
trusted root certificate” in System Log). This seemed to fix it:
1. Internet Information Services -> select the site -> right click -> Properties
2. Directory Security -tab -> Secure communications -frame -> Edit…
3. Select “Enable certificate trust list”, click New… -> Next
4. Add from file -> use CA.crt -> Next
5. Write something to the Name and Description, if you like. -> Next -> Finish

Posted by: Marko Haverinen at November 3, 2003 04:36 AM

For
what it’s worth, I was able to use Mac OS X 10.3 in place of Linux. It
has OpenSSL installed by default. Worked great. Entered commands
exactly as instructed. Thanks!

Posted by: Steve Manke at November 12, 2003 04:49 PM

Thank you for your efforts…
& google :)

Posted by: yasin inat at December 16, 2003 08:19 PM

Hi,

Where
can I find a free CA? Cause I’ve created the .txt file with my company
information and now I need the authority. As I am testing a SSL based
web app I need a free CA just to make it work.

Thanks.

Fernando.

Posted by: Fernando Freitas at January 15, 2004 06:03 AM

This was very informative and worked great for me….

Posted by: kj at February 8, 2004 06:52 AM

The article is exellent and was really useful for me.
Thanks a lot!

Posted by: Vasiliy at February 24, 2004 05:01 AM

I
was able to create everything the first time out and use SSL with IIS
(did it all over WinXP too). What I can’t do is use the existing files
with cURL to access the site. Is this a pkcs12 or PEM issue? I’ve tried
modifying curl-ca-bundle.crt and turning off verification, etc – no
joy. Bigtime TIA, and thanks Eric for the info!!

Posted by: Noobster at February 28, 2004 04:57 AM

Very good!!!

Realy is very good…

Thankyou.

Posted by: Leonardo Pinto at March 4, 2004 04:43 PM

Eric Longman posted at 2003-6-2 Category: Geek Stuff

11 Responses Leave a comment

  1. #1Anonymous @ 2004-3-10 09:51

    I easily created my certificate using your directions. I did run into a problem with the CRT file generated by my WebStar software. Looking online, I decided there was a hidden character or wayward space in the CRT. Openssl failed with a “no start line” error. I used Openssl to create a template CRT file then pasted the code from WebStar file into the template. It worked great after that. BTW, I've been fumbling through working with Macs. My WebStar runs in OS 9 and I created the certificate on another Mac running 10.2.8. I hope to get HTTPS running to check mail over a web page interface. Getting a secure connection without a bill from Verisign was the first of my hurdles.
    Thanks for the info!
    Tom

  2. #2Anonymous @ 2004-12-15 18:38

    That was exactly what I was looking for, thank you for documenting that.

  3. #3Anonymous @ 2005-5-20 16:45

    This information was very helpful thankyou. The only problem is the darn *@&#( NT IIS won't accept the CA.crt file :-( . The server key loads, but IIS complains about not being able to verify the certificate authority. So…. I did this:
    1. Internet Information Services -> select the site -> right click -> Properties
    2. Directory Security -tab -> Secure communications -frame -> Edit…
    3. Select “Enable certificate trust list”, click New… -> Next
    4. Add from file -> use CA.crt -> Next
    5. Write something to the Name and Description, if you like. -> Next -> Finish
    Only IIS won't load the CA.crt file :-( It loads fine in the previous steps, so I can only assume there's a problem with IIS somewhere.
    Any ideas?

  4. #4Anonymous @ 2006-10-28 16:53

    If you are using OpenSSL on Windows or if you find OpenSSL is not able to find your openssl.cnf file, modify step #2 to include the following parameter:
    -config openssl.cnf
    I'm running WinXP. In this example, I have openssl.cnf installed in the same location where openssl.exe is located.
    Thanks for a great and easy to follow article.

  5. #5Anonymous @ 2007-4-20 05:14

    one of the best examples .. guided me perfectly ! thanks a ton //

  6. #6Anonymous @ 2007-5-16 16:24

    If only all guides on the Internet were written as well as this; straight forward, step-by-step, easy to understand. Fantastic!
    thanks ;-)

  7. #7Anonymous @ 2008-6-19 19:36

    Excellent guide. I had to also manually install CA.crt onto each PC to get IE to accept that the certificate was valid. Doing so entered my company as a Trusted Root Certification Authority on those PCs. We're testing SSL internally on several servers with many tester PCs and installing our organization as a root certification authority was the only thing that worked. Everything else here was spot on, though.

  8. #8Sanjoe Panjoe @ 2009-9-4 03:16

    Who ever ..where ever you are.. you made my day!

  9. #9Dan Farrell @ 2009-12-1 12:56

    Thanks much. You saved me a lot of work.

  10. #10Irwan Rivaldi @ 2010-7-18 23:00

    this is great, thanks!

    but instead of using openssl on linux box, i’m using the openssl.exe embedded in xampp. it works like charm :)

  11. #11Mike @ 2010-11-9 17:32

    I just wanted to point out that this does not generate a true self-signed certificate server certificates. You are generating a self-signed certificate authority, and then using that CA to sign a certificate request.

    A true self-signed certificate is signed by only itself, and not a certificate authority.

    This doesn’t really make much of a difference for what you guys are doing. Just pointing things out, that’s all.

Leave a Reply

(Ctrl + Enter)