This is being re-posted as a blog entry so that folks can leave comments...I had a great note by email today with additional information that folks may find useful, so I figured this would make it easier to add information.

UPDATE 3/5/2004: Re-posted (yet again) in the new blogging system to allow for live comments.  The old URL still works (for now), but will very soon be modified as a redirect page, and the old comments will be split out to a separate page.

Self-Signed IIS SSL Certificates using OpenSSL

This tutorial assumes that you have a Linux box with OpenSSL installed,and that you want to create a self-signed certificate for IIS5.0

  1. Set up your CA (you only have to do this once)
    ON THE LINUX BOX...
    • Create a private key
      openssl genrsa -des3 -out CA.key 1024
      (You'll need to supply a passphrase. DON'T FORGET THIS!!)

    • Set this to read-only for root for security
      chmod 400 CA.key
    • Create the CA certificate
      openssl req -new -key CA.key -x509 -days 1095 -out CA.crt
      (Provide appropriate responses to the prompts...for Common Name, you might want to use something like "OurCompany CA")

    • Set the certificate to read-only for root for security
      chmod 400 CA.crt
  2. Obtain a CSR
    ON THE IIS BOX...
    • Open the Internet Manager
    • Select the site for which you want to create a key
    • Right-click and choose Properties
    • Select the "Directory Security" tab
    • Click the "Server Certificate" button
    • Follow the prompts to create a CSR
    • Save your CSR, then transfer it to the Linux box for further processing. (For the following steps, we'll refer to your CSR as "new.csr")

  3. Sign the CSR
    ON THE LINUX BOX...
    • Sign the CSR (all of this on one line)
      openssl x509 -req -days 365 -in new.csr -CA CA.crt
      -CAkey CA.key -CAcreateserial -out new.crt
    • Transfer the new.crt file back to the IIS box

  4. Install self-signed certificate
    ON THE IIS BOX...
    • Open the Internet Manager
    • Select the site to install the key
    • Right-click and choose properties
    • Select the "Directory Security" tab
    • Click the "Server Certificate" button
    • Specify that you want to complete the pending request
    • Select the .crt file that you just transferred
That's it!

Now...here's the updated info, with special thanks to David MacKenzie:David's comments: I found your instructions for creating a self-signed cert for IIS using OpenSSL invaluable--thanks! (I found them by google.) There's one subtlety I'd like to suggest you add to them. If the IIS server is Outlook Web Access for an Exchange server, then installing the SSL cert breaks Public Folders administration from the Exchange System Manager MMC console. ESM complains that the cert isn't connected to a recognized authority, and if you fix that, it complains that the system name is wrong. After more googling, I found an answer that worked for me, shown below as additional steps for your check list. I'm using Windows 2000 SP3 and Exchange 2000 SP3.

  1. If the IIS server is running Outlook Web Access for Exchange, make ourselves recognized as a CA
    ON THE IIS BOX...
    • Open Internet Explorer
    • Tools>Internet Options
    • Content tab
    • Certificates
    • Import
    • Next
    • Browse
    • Files of type: X.509 Certificate (*.cer, *.crt)
    • Select CA.crt
    • Open
    • Next
    • Next
    • Finish
  2. If the IIS server is running Outlook Web Access for Exchange, fix Public Folders management for the Exchange Server Manager
    ON THE IIS BOX...
    • Open Internet Services Manager
    • Right-click on exchange>Default Web Site>Exadmin
    • Properties
    • Directory Security tab
    • Secure communications Edit
    • Uncheck Require secure channel (SSL)
    • OK
    • OK
Older Comments (from previous blogging tool):

Good explanation - that made it very easy to set up! Thanks!

Posted by: Mike Bridge at June 20, 2003 01:56 PM

Very very helpful. Straight-forward, no fluff. Worked my first run through. Thank you so much.

Posted by: John Kazinski at June 23, 2003 09:50 PM

Very helpful. I was struggling with this for a while until I came across your article. Then, it was a snap! Thanks a lot. (Also, thanks Google.)

Posted by: Milind Khandekar at July 3, 2003 12:57 PM

I heart you. I'm saving a local copy of this page.

Posted by: tp at July 8, 2003 06:10 PM

In order to get IE to trust your certificate (so that it does not prompt you every single time) you'll have to install (in IE) the CA.crt certificate first (as a Trusted Root Authority ?).

Posted by: Mark Kitt at July 12, 2003 03:55 PM

merci pour ton aide
thank you for your help

Posted by: xavier at July 15, 2003 10:48 AM

Thanks! Worked like a charm.
I had to restart IIS for everything to take effect.

Posted by: Matt at July 30, 2003 03:38 AM

I have been able to use an OpenSSL 0.9.7b win32 build to make the certificates right here on my Windows 2000 machine. I downloaded it from http://hunter.campbus.com (Openssl-0.9.7b-Win32.zip) and I found a generic OpenSSL config file (openssl.cnf) on this page http://tud.at/programm/apache-ssl-win32-howto.php3 (It's in section 2 "Getting OpenSSL and mod_ssl")

Extract the contents of that zip file somewhere (like c:\openssl) and put the openssl.cnf in there too. Also, be sure it's really named openssl.cnf or it won't be found.

I love Google.

Posted by: toolfan at August 8, 2003 08:58 AM

Thanx..

It's free and it works.!!

Posted by: Gert at August 13, 2003 09:17 AM

This info is indeed great. I got it working smoothly.
Thanks a lot !!!!
Only thing I need to add is, you do not need Linux box neccessarily since you can install OpenSSL on win2k box to. So you can perform step 1 on Win2k box too !

Posted by: Prakash Shekade at August 23, 2003 08:21 AM

You can also install Cygwin http://www.cygwin.com/ and use its version of openssl in place of all the 'on the Linux box' steps.

Posted by: JA at September 5, 2003 12:07 PM

Easy How-To. Thanks for that one. Nice.

Posted by: Tobias Kuhrmann at September 12, 2003 12:17 PM

Dude, you are a life saver. This worked out great. Thanks man

Posted by: BN at September 28, 2003 10:01 PM

It looks like you can't user host headers with SSL according to Q187504 from Microsoft's Knowledge Base.

Workaround: make the site you need with SSL default web site, and it'll work, but it won't work for any others you have on the same server.

This is totally doable with apache + mod_ssl + Virtual Hosts.

Posted by: Jaime Diaz at September 29, 2003 05:26 PM

You're right that you can't use host headers with SSL. The reason is that the secure socket is established BEFORE the host headers are sent, therefore the server doesn't know when the connection is established which virtual server you want to connect to.

SSL sites MUST be associated exclusively with an IP address.

Posted by: WebWiz at September 29, 2003 06:24 PM

From ssl.conf:
##
## SSL Global Context
##
## All SSL configuration in this context applies ##both to the main server and all SSL-enabled ##virtual hosts.
##

This is what made me thought it is possible doing it on apache, however, I've never tried this.
The Microsoft's note I mentioned before states that by HTTP 1.1 protocol definition this is impossible.

On the FAQ of mod_ssl this is commented too, so I think I rushed a little when I said it was possible under apache.

So, resuming, the only to do it is using IP based virtual hosts.

Posted by: Jaime Diaz at September 30, 2003 09:08 AM

On my Win box, I did the following to get the 2nd step of the 1) above to work

openssl req -new -key CA.key -x509 -config openssl.cnf -days 1095 -out CA.crt

Posted by: brad cambpell at October 2, 2003 12:43 PM

Many thanks for this excellent article! Worked like a charm.

Posted by: Shubhang Varma at October 15, 2003 09:39 PM

wow,
You are Da Man!
Thanks for your efforts.

Posted by: Kevin Davis at October 17, 2003 02:37 PM

You are a life saver! Thanks for the excellent info, this really saved the day for me. Cheers!

Posted by: UberDev at October 24, 2003 11:31 PM

Having a few problems

Issued to and issued by names appear to be the same even though CA's name was different

Also certification path is showing problems due to the above

Any ideas?

Robbie

Posted by: Robbie at October 30, 2003 06:02 AM

I also had problems with the certification path ("does not chain up to a trusted root certificate" in System Log). This seemed to fix it:
1. Internet Information Services -> select the site -> right click -> Properties
2. Directory Security -tab -> Secure communications -frame -> Edit...
3. Select "Enable certificate trust list", click New... -> Next
4. Add from file -> use CA.crt -> Next
5. Write something to the Name and Description, if you like. -> Next -> Finish

Posted by: Marko Haverinen at November 3, 2003 04:36 AM

For what it's worth, I was able to use Mac OS X 10.3 in place of Linux. It has OpenSSL installed by default. Worked great. Entered commands exactly as instructed. Thanks!

Posted by: Steve Manke at November 12, 2003 04:49 PM

Thank you for your efforts...
& google :)

Posted by: yasin inat at December 16, 2003 08:19 PM

Hi,

Where can I find a free CA? Cause I've created the .txt file with my company information and now I need the authority. As I am testing a SSL based web app I need a free CA just to make it work.

Thanks.

Fernando.

Posted by: Fernando Freitas at January 15, 2004 06:03 AM

This was very informative and worked great for me....

Posted by: kj at February 8, 2004 06:52 AM

The article is exellent and was really useful for me.
Thanks a lot!

Posted by: Vasiliy at February 24, 2004 05:01 AM

I was able to create everything the first time out and use SSL with IIS (did it all over WinXP too). What I can't do is use the existing files with cURL to access the site. Is this a pkcs12 or PEM issue? I've tried modifying curl-ca-bundle.crt and turning off verification, etc - no joy. Bigtime TIA, and thanks Eric for the info!!

Posted by: Noobster at February 28, 2004 04:57 AM

Very good!!!

Realy is very good...

Thankyou.

Posted by: Leonardo Pinto at March 4, 2004 04:43 PM