Self Signing SSL for IIS

Number of Views : 4091

Many people have emailed me about how to setup and ssl on their development environment or internal sites without paying for a certificate.  Here are the steps to secure your local IIS server (windows 2003) with a self signing ssl.

You will need to download the IIS 6.0 Resource kit from Microsoft – http://www.microsoft.com/downloads/thankyou.aspx?familyId=56FC92EE-A71A-4C73-B628-ADE629C89499&displayLang=en

Install just the selfssl (or everything if you want to use the resource kit)

Download the resource kit.  Execute the iis60rkt.exe and select next on welcome page. You will have to agree to the license.  Select Next, and select the Custom install option to just install the SelfSSL 1.0 program.

Select your directory, for this example I will just use the default. C:\program files\iis resources\.  For this example I am only selecting the SelfSSL option

d

Select next to install and finish when it is done.

Install should be complete.

Create Certificate
We will now create a certificate.  Open a command (DOS) window. Start | run | cmd.  Change directory to the location where you installed the resource kit.  I chose the default location c:\program files\iis resources.  To do this type “cd c:\program files\iis resources\selfssl” in the Command window.

s

Once in the resource kit directory you can use the selfssl.exe program to create a certificate.  If you run the program “selfssl.exe /? “ You will see all the options available.

d

We will be using a few options to modify our certificate to allow for a FQDN (Fully Qualified Domain name) [/N:CN]and the correct Site ID [/S] Before we can run the command and install the certificate we need to find the site id for the particular IIS site that we want to have the ssl bound to.   If you are running only one site on the server and it is default then you can use the /S:1 (default site) option.   I typically turn off the default site on my servers for security reasons and have more than one site running.  To find an IIS site id there are a few options.  I prefer the simple route of viewing the log file for that site and showing the properties there.

In this example I will be creating an SSL for the IIS web site (somedomain.com).  You can see from the image of my iis manager screen the site.

iis

To find the site ID for this particular site (somedomain.com) we can right click and select properties.  From the site properties window under the “Web Site” tab select the logging properties button.

prop

This will open the logging properties window.  On this window the log file name will include the Site ID

site id

 In this example the site ID we are going to be working with is 1341291934.  The log file name included the site ID after the starting W3SVC.

We now go back to our command window and will run the selfssl executable with the following commands.

Selfssl.exe /T /N:CN=somedomain.com /S: 1341291934

CMD

This command will create a certificate with the following options

/T = Adds the local certificate to the trusted certificates list

/N:CN = the fully qualified domain name used for the site (somedomain.com) this would be your site name www.yourintranet.com

/S:1341291935 = Site ID (you got this from log file name on iis) 1 = the default site

You have now created an SSL certificate for the siteID you have chosen and can view the site properties and see your certificate will listen on Port 443 (SSL)

Final

This is a simple and quick way to use SSL and encryption on your local sites and intranets.  I would not recommend using this method to secure a production server or a server on the Internet.  Please use a purchased signed SSL certificate.

Leave a Reply

Your email address will not be published. Required fields are marked *