Wednesday, January 16, 2008

While we could do the same thing in IIS6, IIS7 introduced a much more convenient way to create self-signed SSL certificates for your web sites, as described by ScottGu on his blog. However, there is one problem with the way IIS7 does this: No matter what you do (as far as I know), the certificate will be created with the local computer network name as the CN, Common Name (the site name) in the certificate. The Common Name should match the web site's DNS address to be valid, and often the DNS name is different from the computer name. This site's DNS name is for instance, while the name of the server hosting the site is LABBETUSS2008.

If your certificate CN does not match the web site address, most browsers will tell the users that you have a foobar SSL setup (even more foobar than not having a certificate from a trusted authority), and some (the newest version of FireFox, among others, I think) will completely refuse to open your site.

The good thing is that there's a way to fix it, and that is reverting to the way we had to do this in IIS6; using SelfSSL.exe from the IIS6 Resource Kit Tools. Below are the steps to to this:

  1. Download and install the IIS6 Resource Kit Tools from here:
    Note: I don't know if the Resource Kit will install on Vista or Windows Server 2008, I had the Resource Kit installed on a Windows 2003 box and just copied SelfSSL.exe.
  2. Look up the site ID of the web site you want to enable for SSL by selecting the "Sites" node in the tree in IIS7 Manager.
  3. Run SelfSSL /N:CN=<your web site address (no http://)> /V:<how many days the certificate should be valid> /S:<site ID from above> [/P:<port, if not 443>]
  4. Test your site.

Note2: It is possible that you will need to install the IIS6 compatibilty components for IIS7 in order for this to work - I don't know. You install them from the Add/Remove Windows Components dialog, or the Web Server Role configuation in Windows Server 2008.

Does anyone else know of an easier way to do this? I searched a bit without finding anything. What about adding an option to choose the CN in the "Create Certificate wizard", IIS7 team?

Friday, March 7, 2008 9:38:24 PM (W. Europe Standard Time, UTC+01:00)
Unfortunately, you are right, Hans. You can not specify the CN when you are using the “Create Self-signed Certificate” option in IIS7 Manager. SelfSSL.exe which is part of the IIS6 resource kit works and you can specify a lot of options (including the CN) when you generate the certificate. You have to install the “IIS 6 Management Compatibility Role Services” in order to be able to use SelfSSL.exe.
Here is a Screencast which demonstrates:
- The installation of IIS7
- Creating Self-signed certificate with IIS7 Manager
- Creating a Self-signed certificate with SelfSSL.exe and importing it in the trusted root authorities so you do not get the Certificate warning error.

Best Regards,

PS: There is a link on that page for SelfSSL.exe, in case you don not want to install the whole IIS6 resource kit and you need just the selfssl tool.
Tuesday, March 11, 2008 8:15:11 PM (W. Europe Standard Time, UTC+01:00)
I've just been researching this myself... the following is shamelessly stolen from elsewhere (and not tested by myself):

"SelfSSL is nice unless you plan to use it with multiple sites, in which case there is a bug that will break SSL on any existing site when you add it to a second site. The bug has been fixed but SelfSSL could not be updated. Instead the fix was included in SSLDiag"

Saturday, February 14, 2009 12:37:09 PM (W. Europe Standard Time, UTC+01:00)
Wow, I never knew that Self-signed SSL Certificates on IIS7 and Common Names. That's pretty interesting...
Monday, March 30, 2009 7:59:21 AM (W. Europe Standard Time, UTC+01:00)
Home page

Comment (HTML not allowed)  

Enter the code shown (prevents robots):

Live Comment Preview