Wednesday, January 16, 2008
Self-signed SSL Certificates on IIS7 and Common Names

While we could do the same thing in IIS6, IIS7 introduced a much more convenient way to create self-signed SSL certificates for your web sites, as described by ScottGu on his blog. However, there is one problem with the way IIS7 does this: No matter what you do (as far as I know), the certificate will be created with the local computer network name as the CN, Common Name (the site name) in the certificate. The Common Name should match the web site's DNS address to be valid, and often the DNS name is different from the computer name. This site's DNS name is for instance hansolav.net, while the name of the server hosting the site is LABBETUSS2008.

If your certificate CN does not match the web site address, most browsers will tell the users that you have a foobar SSL setup (even more foobar than not having a certificate from a trusted authority), and some (the newest version of FireFox, among others, I think) will completely refuse to open your site.

The good thing is that there's a way to fix it, and that is reverting to the way we had to do this in IIS6; using SelfSSL.exe from the IIS6 Resource Kit Tools. Below are the steps to to this:

  1. Download and install the IIS6 Resource Kit Tools from here: http://www.microsoft.com/downloads/details.aspx?FamilyID=56FC92EE-A71A-4C73-B628-ADE629C89499&displaylang=en
    Note: I don't know if the Resource Kit will install on Vista or Windows Server 2008, I had the Resource Kit installed on a Windows 2003 box and just copied SelfSSL.exe.
  2. Look up the site ID of the web site you want to enable for SSL by selecting the "Sites" node in the tree in IIS7 Manager.
  3. Run SelfSSL /N:CN=<your web site address (no http://)> /V:<how many days the certificate should be valid> /S:<site ID from above> [/P:<port, if not 443>]
  4. Test your site.

Note2: It is possible that you will need to install the IIS6 compatibilty components for IIS7 in order for this to work - I don't know. You install them from the Add/Remove Windows Components dialog, or the Web Server Role configuation in Windows Server 2008.

Does anyone else know of an easier way to do this? I searched a bit without finding anything. What about adding an option to choose the CN in the "Create Certificate wizard", IIS7 team?

IIS | Microsoft | Windows Servers
posted on Wednesday, January 16, 2008 11:14:01 PM (W. Europe Standard Time, UTC+01:00)  #    Comments [2]
Related posts:
New SQL Server Logo
My 64-bit Experience
Internship at Microsoft Part 1 - Applying
Visual Studio 2008 for Database Professionals and SQL Server 2008 CPT5
Vista SP1 RC and Windows Server 2008 RC1
Gadget Competition 2007 - Package Tracking
Friday, March 07, 2008 9:38:24 PM (W. Europe Standard Time, UTC+01:00)
Unfortunately, you are right, Hans. You can not specify the CN when you are using the “Create Self-signed Certificate” option in IIS7 Manager. SelfSSL.exe which is part of the IIS6 resource kit works and you can specify a lot of options (including the CN) when you generate the certificate. You have to install the “IIS 6 Management Compatibility Role Services” in order to be able to use SelfSSL.exe.
Here is a Screencast which demonstrates:
- The installation of IIS7
- Creating Self-signed certificate with IIS7 Manager
- Creating a Self-signed certificate with SelfSSL.exe and importing it in the trusted root authorities so you do not get the Certificate warning error.
http://www.netometer.com/video/tutorials/server-2008-self-signed-certtificate/

Best Regards,

Dean
PS: There is a link on that page for SelfSSL.exe, in case you don not want to install the whole IIS6 resource kit and you need just the selfssl tool.
Dean | answerAT NOSPAMnetometer dot net
Tuesday, March 11, 2008 8:15:11 PM (W. Europe Standard Time, UTC+01:00)
I've just been researching this myself... the following is shamelessly stolen from elsewhere (and not tested by myself):

"SelfSSL is nice unless you plan to use it with multiple sites, in which case there is a bug that will break SSL on any existing site when you add it to a second site. The bug has been fixed but SelfSSL could not be updated. Instead the fix was included in SSLDiag"

http://blogs.msdn.com/david.wang/archive/2005/04/20/SelfSSL-Bug-with-websites.aspx

Opto
Name
E-mail
Home page

Comment (HTML not allowed)  

Enter the code shown (prevents robots):
Live Comment Preview

Page rendered at Wednesday, January 07, 2009 1:54:09 AM (W. Europe Standard Time, UTC+01:00)

Hans Olav Norheim is a Microsoft Student Partner, certified database and application developer, studying databases at the Norwegian University of Science and Technology in Trondheim, Norway. Hans Olav is especially passionate about Microsoft SQL Server and has interned on the SQL Server development team in Microsoft's HQ in Redmond two summers.
When not in front of his computer, Hans Olav can be seen up in the sky flying a glider, climbing a rock, in a boat or out with friends.