Monthly Archives: December 2008

Creating a Self-Signed SSL Certificate without a mess of makecert.exe (using SSL Diagnostics Tool)

Introduction:

So you have a server and you need to implement SSL to allow secure (https) communication. What choices do you have? You can buy a certificate from certification authority or you can issue a Self-Signed certificate to yourself. The difference is that your browser “knows” it can trust the certificates from the authorities (it has it installed). But when the browser encounters the https connection with a server with the self-signed certificate, the user is presented with a message like this:

SSLDiagnostics_SecurityAlert

Thus, self-signed certificates are OK for test and development web sites, but generally not OK for public websites.

This article will show you the simplest ways to create a Self-Signed SSL Certificate.

Here are your options. (Or just go to the Best Solution )

Solution 1 (quite long, but recommended by Microsoft)

Setting Up SSL Using IIS and Certificate Server

MS recommends that you get the certificate from the certificate server. This means that you have to have an access to Window 2000 or Windows 2003 server with “Certification Services” installed. You use IIS MMC to generate request to this server. Then using browser you submit this request to the server. Then, when somebody at that server approves the request, you will get back a certificate.

See details at http://support.microsoft.com/default.aspx?kbid=299525

Solution 2 (fast, but sometimes could be tricky)

Creating Self-Signed SSL Certificates using makecert.exe

It is a quite simple solution. The only problem is that sometimes it just doesn’t work, and it’s hard to determine what is wrong. The makecert.exe comes with VS.NET. It you don’t have .NET Framework 1.1 installed, the makecert might be outdated. You can download a newer version from http://download.microsoft.com/download/platformsdk/Update/5.131.3617.0/NT45XP/EN-US/makecert.exe

Just replace yourservername with the computer name of your PC and run:

makecert -r -pe -n “CN=yourservername” -b 01/01/2000 -e 01/01/2050 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12

Then go to the IIS “Web Site Properties”, “Directory Security”, “Server Certificate…”, “Assign an existing certificate” and select the new certificate from the list.

It works? Fine! No? Go to the Best Solution

Solution 3 (OK for not-technical users)

Download a test certificate from certification authorities

The certificate companies like VeriSign and Thawte issue test certificates, but they expire after 90 days or so, and the process of getting it could be quite tedious.

Solution 4 (The Best and Recommended)

Create a Self-Signed Certificate using SSL Diagnostics Tool

Avoid all this pain with a nice tool from Microsoft: SSL Diagnostics . Download setup.exe (2112 KB) from here: http://www.microsoft.com/downloads/details.aspx?familyid=CABEA1D0-5A10-41BC-83D4-06C814265282&displaylang=en

Install it and run. In the main window of SSL Diagnostics, right-click the Web site level (shown by [W3SVC/<site number>]), and then click Create New Certificate.

SSLDiagnostics_SSLDiag

That is it. You are done. Don’t forget to explore other capabilities of this nice tool.

Writing to Event Log in ASP.NET application

Writing to Event Log is not simple, but very simple:

// Create an EventLog instance and assign its source.

EventLog
myLog = new EventLog();

myLog.Source
= "MySource";

 

// Write an informational entry to the event log.   

myLog.WriteEntry("Writing
to event log.");

EventLog is in System.Diagnostics namespase.

Before using the source of the EventLog, you have to create
it. But if you use the code like this:

//Create Event Log if It Doesn’t Exist

if (! EventLog.SourceExists("MySource"))

      EventLog.CreateEventSource("MySource",
"MySource");

you will get the error:

System.Security.SecurityException: Requested registry access
is not allowed.

Instead, go to registry editor (regedit), locate key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
and create a new key with the source name