Daily Archives: 20 February 2014

Certificate-Related Stuff

This post is going to contain some basic information about the creation and management of Self-Signed Certificates and IIS. It is actually in anticipation of another post which I plan to publish next about the creation of such a certificate for development purposes.

I will presume you have IIS Manager 7 installed on your machine.
If you don’t, go ahead and install it.

Server-side Certificate Installation

To create a Self-Signed Certificate using IIS, execute the following steps:

  1. With IIS Manager open, click on the top-most node in the treeview which represents the root server
  2. In the IIS section of the right-hand pane, double-click on the Server Certificates icon
  3. In the far-right column, which has a heading Actions, click the link which says Create Self-Signed Certificate…
  4. Give your certificate a name as depicted below and follow the the rest of the wizard.Create Certificate

You will see that your new certificate has been added on your IIS instance. Note how it has a Certificate Hash. We will use that below.

Exporting the Certificate

Now that we have done the server-side stuff for our certificate, it is time to install it on a machine (the client-side stuff). The first thing we need to do is export a new certificate to a pfx file, which we will then import into our local certificate store.

  1. Right-click on the new certificate in the list and select Export from the context menu
  2. Give the exported certificate a name with a pfx file extension
  3. Enter and confirm a password for the certificateExport Certificate
  4. Click OK and the export will be complete.
Client-side Certificate Installation

The best way to manage certificates on your machine is by way of the Certificate Manager. You can open this by clicking the Start Menu and typing certmgr.msc. When the start menu has filtered itself down to 1 item (the Certificate Manager), push the enter button.
Certificate Manager
Next up, we will add the certificate to the Trusted Root Certification Authorities store. To do that, follow these steps:

  1. Expand the tree node labelled Trusted Root Certification Authorities in the left-hand pane
  2. Right click on the Certificates node which is exposed by virtue of step 1
  3. Select All Tasks > Import from the context menu
  4. Follow the wizard, selecting the pfx file which you created above.

You should be able to find your certificate easily enough after the import. There is a find dialogue in the Certificate Manager. Or another way of finding it quickly is ordering the items in the Trusted Root Certification Authorities > Certificate window by the Friendly Name column, which is the one that contains the name we gave it earlier.Trusted Root Certification Authority

We can now take a look at that certificate – double click on it in Certificate Manager. Navigate to the Details tab, scroll down to the Thumbprint property and there you will see that same hash that we observed in IIS when we first created it.Certificate Hash
IIS Hash View

Use the Certificate

To implement SSL in your website, you need to add an SSL binding for that site. To do that, follow these steps:

  1. Click on the website in IIS (mine is called CertTester)
  2. Stop the website
  3. In the Actions column on the far right, click the Bindings link
  4. Click the Add button
  5. Choose https from the top combobox
  6. Choose your certificate in the bottom combobox and click OK
  7. Start your website

You can now browse to that website by clicking the Browse *:443 (https) link in the Actions column.
You will see something wildly unsatisfying like the following IE screenshot:Certificate Warning IE
And here is the Chrome equivalent:Certificate Warning
You can then click:

  • Continue to this website (not recommended) (IE)
  • Proceed anyway (Chrome)

to continue through to the page content.

My next post will show you how to create a better Self-Signed Certificate for development purposes which results in no browser warning when you load the https address (for IE and Chrome only).