Wednesday, January 16, 2008

While we could do the same thing in IIS6, IIS7 introduced a much more convenient way to create self-signed SSL certificates for your web sites, as described by ScottGu on his blog. However, there is one problem with the way IIS7 does this: No matter what you do (as far as I know), the certificate will be created with the local computer network name as the CN, Common Name (the site name) in the certificate. The Common Name should match the web site's DNS address to be valid, and often the DNS name is different from the computer name. This site's DNS name is for instance, while the name of the server hosting the site is LABBETUSS2008.

If your certificate CN does not match the web site address, most browsers will tell the users that you have a foobar SSL setup (even more foobar than not having a certificate from a trusted authority), and some (the newest version of FireFox, among others, I think) will completely refuse to open your site.

The good thing is that there's a way to fix it, and that is reverting to the way we had to do this in IIS6; using SelfSSL.exe from the IIS6 Resource Kit Tools. Below are the steps to to this:

  1. Download and install the IIS6 Resource Kit Tools from here:
    Note: I don't know if the Resource Kit will install on Vista or Windows Server 2008, I had the Resource Kit installed on a Windows 2003 box and just copied SelfSSL.exe.
  2. Look up the site ID of the web site you want to enable for SSL by selecting the "Sites" node in the tree in IIS7 Manager.
  3. Run SelfSSL /N:CN=<your web site address (no http://)> /V:<how many days the certificate should be valid> /S:<site ID from above> [/P:<port, if not 443>]
  4. Test your site.

Note2: It is possible that you will need to install the IIS6 compatibilty components for IIS7 in order for this to work - I don't know. You install them from the Add/Remove Windows Components dialog, or the Web Server Role configuation in Windows Server 2008.

Does anyone else know of an easier way to do this? I searched a bit without finding anything. What about adding an option to choose the CN in the "Create Certificate wizard", IIS7 team?

posted on Wednesday, January 16, 2008 11:14:01 PM (W. Europe Standard Time, UTC+01:00)  #    Comments [4]