Creating a Self-Signed SSL Certificate without a mess of makecert.exe (using SSL Diagnostics Tool)


So you have a server and you need to implement SSL to allow secure (https) communication. What choices do you have? You can buy a certificate from certification authority or you can issue a Self-Signed certificate to yourself. The difference is that your browser “knows” it can trust the certificates from the authorities (it has it installed). But when the browser encounters the https connection with a server with the self-signed certificate, the user is presented with a message like this:


Thus, self-signed certificates are OK for test and development web sites, but generally not OK for public websites.

This article will show you the simplest ways to create a Self-Signed SSL Certificate.

Here are your options. (Or just go to the Best Solution )

Solution 1 (quite long, but recommended by Microsoft)

Setting Up SSL Using IIS and Certificate Server

MS recommends that you get the certificate from the certificate server. This means that you have to have an access to Window 2000 or Windows 2003 server with “Certification Services” installed. You use IIS MMC to generate request to this server. Then using browser you submit this request to the server. Then, when somebody at that server approves the request, you will get back a certificate.

See details at

Solution 2 (fast, but sometimes could be tricky)

Creating Self-Signed SSL Certificates using makecert.exe

It is a quite simple solution. The only problem is that sometimes it just doesn’t work, and it’s hard to determine what is wrong. The makecert.exe comes with VS.NET. It you don’t have .NET Framework 1.1 installed, the makecert might be outdated. You can download a newer version from

Just replace yourservername with the computer name of your PC and run:

makecert -r -pe -n “CN=yourservername” -b 01/01/2000 -e 01/01/2050 -eku -ss my -sr localMachine -sky exchange -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12

Then go to the IIS “Web Site Properties”, “Directory Security”, “Server Certificate…”, “Assign an existing certificate” and select the new certificate from the list.

It works? Fine! No? Go to the Best Solution

Solution 3 (OK for not-technical users)

Download a test certificate from certification authorities

The certificate companies like VeriSign and Thawte issue test certificates, but they expire after 90 days or so, and the process of getting it could be quite tedious.

Solution 4 (The Best and Recommended)

Create a Self-Signed Certificate using SSL Diagnostics Tool

Avoid all this pain with a nice tool from Microsoft: SSL Diagnostics . Download setup.exe (2112 KB) from here:

Install it and run. In the main window of SSL Diagnostics, right-click the Web site level (shown by [W3SVC/<site number>]), and then click Create New Certificate.


That is it. You are done. Don’t forget to explore other capabilities of this nice tool.

Leave a Reply

Your email address will not be published. Required fields are marked *