Creating a Self-Signed Certificate for Development

Update: this post is out of date and the info here will not be effective with modern browsers.

My last post went through the basics of creating a self-signed certificate using IIS Manager. But it can be done better.

Last year, I had to create a self-signed certificate for the development project I was working on, and found the IIS way of creating certificates to be somewhat lacking. It gave you no options as to who the certificate is issued. It just issued it to the PC name for the PC upon which IIS was running. So if the url which I need to type in the browser’s address bar differs from the PC-name to whom the certificate is issued, the browser will complain*.
Chrome Certificate Warning

Enter SelfSSL7. It enabled me to give the self-signed certificate a proper canonical name. In addition, it has the following features:

  • The site name upon which the SSL is to be configured on
  • The IP address
  • The port
  • Ability to add the certificate as a trusted root certificate
  • Export to a pfx file or cer file
  • One or more configurable common name
  • Configurable expiration date
  • Configurable key size

So, lets get into an example. I am going to host an enterprise app on a server called devserver-std. However, I am doing my development on my devmachine, which has a computer name PLAGUIS. I need to create a certificate which is issued to the server devserver-std. I need to do this in such a way that the machine to which the certificate is issued is the same as the name which I will be typing into the address bar of my browser i.e. devserver-std.

I fire up a command prompt (run as administrator) and run the following command:

SelfSSL7.exe /N cn=devserver-std /K 2048 /I /S=1 /V 500 /T /Q /X /F E:\MyNewDevCert.pfx /W opensesame

 

Lets go through that command, step by step:

/N specifies the common name. devserver-std is the name of the server upon which I want to install the certificate; the server which it is issued to.
/K specifies the key size.
/I adds the certificate to an IIS binding (but which one? See next item).
/S specifies the IIS site to which we want to add the binding. We need to know the site id for this. See this post for steps.
/V is the validity date for the certificate, with 500 (in our example) being the number of days.
/T adds the certificate to the user’s certificate store. This will make the SSL certificate trusted by the browser (except Firefox).
/Q overwrites the existing IIS SSL bindings. This is really handy. I don’t even have to open the IIS GUI and associate it with a binding for the site.
/X tells SelfSSL7 to export the certificate to a pfx file.
/F is the file location for the pfx file.
/W is the password for the pfx file.

With our better self-signed certificate in hand, we can now load the url for devserver-std in our browser and we will not experience the warning shown at the top of this post. Note, this does not work with Firefox. It does work with IE and Chrome.

* When a web browser receives an SSL certificate it usually checks the certificate for the following 3 things:

  1. Is the certificate still valid or is it already expired?
  2. Is the common name of the certificate the same as that which the user entered in the browser’s address bar?
  3. Does the browser trust the certificate or the issuer of the certificate?

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>