So you have a server and you need to implement SSL to allow secure (https) communication. What choices do you have? You can buy a certificate from certification authority or you can issue a Self-Signed certificate to yourself. The difference is that your browser “knows” it can trust the certificates from the authorities (it has it installed). But when the browser encounters the https connection with a server with the self-signed certificate, the user is presented with a message like this:
Thus, self-signed certificates are OK for test and development web sites, but generally not OK for public websites.
This article will show you the simplest ways to create a Self-Signed SSL Certificate.
Here are your options. (Or just go to the Best Solution )
Solution 1 (quite long, but recommended by Microsoft)
Setting Up SSL Using IIS and Certificate Server
MS recommends that you get the certificate from the certificate server. This means that you have to have an access to Window 2000 or Windows 2003 server with “Certification Services” installed. You use IIS MMC to generate request to this server. Then using browser you submit this request to the server. Then, when somebody at that server approves the request, you will get back a certificate.
See details at http://support.microsoft.com/default.aspx?kbid=299525
Solution 2 (fast, but sometimes could be tricky)
Creating Self-Signed SSL Certificates using makecert.exe
It is a quite simple solution. The only problem is that sometimes it just doesn’t work, and it’s hard to determine what is wrong. The makecert.exe comes with VS.NET. It you don’t have .NET Framework 1.1 installed, the makecert might be outdated. You can download a newer version from http://download.microsoft.com/download/platformsdk/Update/5.131.3617.0/NT45XP/EN-US/makecert.exe
Just replace yourservername with the computer name of your PC and run:
makecert -r -pe -n “CN=yourservername” -b 01/01/2000 -e 01/01/2050 -eku 22.214.171.124.126.96.36.199.1 -ss my -sr localMachine -sky exchange -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12
Then go to the IIS “Web Site Properties”, “Directory Security”, “Server Certificate…”, “Assign an existing certificate” and select the new certificate from the list.
It works? Fine! No? Go to the Best Solution
Solution 3 (OK for not-technical users)
Download a test certificate from certification authorities
The certificate companies like VeriSign and Thawte issue test certificates, but they expire after 90 days or so, and the process of getting it could be quite tedious.
Avoid all this pain with a nice tool from Microsoft: SSL Diagnostics . Download setup.exe (2112 KB) from here: http://www.microsoft.com/downloads/details.aspx?familyid=CABEA1D0-5A10-41BC-83D4-06C814265282&displaylang=en
Install it and run. In the main window of SSL Diagnostics, right-click the Web site level (shown by [W3SVC/<site number>]), and then click Create New Certificate.
That is it. You are done. Don’t forget to explore other capabilities of this nice tool.