While we could do the same thing in IIS6, IIS7 introduced a much more convenient way to create self-signed SSL certificates for your web sites, as described by ScottGu on his blog. However, there is one problem with the way IIS7 does this: No matter what you do (as far as I know), the certificate will be created with the local computer network name as the CN, Common Name (the site name) in the certificate. The Common Name should match the web site's DNS address to be valid, and often the DNS name is different from the computer name. This site's DNS name is for instance hansolav.net, while the name of the server hosting the site is LABBETUSS2008.
If your certificate CN does not match the web site address, most browsers will tell the users that you have a foobar SSL setup (even more foobar than not having a certificate from a trusted authority), and some (the newest version of FireFox, among others, I think) will completely refuse to open your site.
The good thing is that there's a way to fix it, and that is reverting to the way we had to do this in IIS6; using SelfSSL.exe from the IIS6 Resource Kit Tools. Below are the steps to to this:
Note2: It is possible that you will need to install the IIS6 compatibilty components for IIS7 in order for this to work - I don't know. You install them from the Add/Remove Windows Components dialog, or the Web Server Role configuation in Windows Server 2008.
Does anyone else know of an easier way to do this? I searched a bit without finding anything. What about adding an option to choose the CN in the "Create Certificate wizard", IIS7 team?
Page rendered at Wednesday, October 4, 2023 12:48:51 AM (W. Europe Standard Time, UTC+01:00)
The opinions expressed herein are my own personal opinions and do not represent
my employer's view in anyway.