Generating self-signed certificates to enable SSL (https) on IIS 5.1 (Windows XP Professional)

In a previous post, I was trying to create an x.509 certificate for use in a brokered security model. The information in that post works up to the point you actually want to use the certificate to enable SSL for IIS on your local sandbox. For some reason (and if anyone knows, please post a comment because I’d love to know), the certificate doesn’t work. There’s just something about how it was generated that makes it not allow you to use SSL on your machine. Today I was able to, successfully, generate a self-signed certificate to get SSL working in my own sandbox (Windows XP). Here’s how:
 
Step 1: Generate the PFX (You will be prompted for the private key password)
a) Download the Internet Information Service (IIS) 6.0 Resource Kit Tools (I know it’s only IIS 5.1 on Windows XP Pro. Bear with me)
b) Run SelfCert (a tool in the resource kit) to install the certificate:
 
        selfssl.exe /N:CN=MyCompany /V:365
 
c) Manually export the certificate:
     i)    Open the Certificates MMC Plug-in for the Computer Account
     ii)   Navigate to the Peronal > Certificates folder.
     iii)  Right click on the certificate and select All Tasks > Export
     iv)  Click Next, select "Yes, export the private key", click Next, check the "Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above)" and "Delete the private key if the export is successful" checkboxes, click Next, enter your private key password, click Next, enter the name of the file name you want to export the certificate as (it will append .pfx to the end), click Next, click Finish.
 
d) Clean up the changes made to IIS by SelfCert:
     i)    Open the IIS MMC Plug-in
     ii)   Right-click on Default Web Site and select Properties
     iii)  Select the Directory Security Tab and click the Service Certificate button
     iv)  Click Next on the first form of the IIS Certificate Wizard
     v)   Select Remove the current certificate
     vi)  Click Next through the remaining forms of the IIS Certificate Wizard
 
Now you can delete the certificate (to test the import performed in, the more automated, step 2) by right clicking it and selecting Delete (from within the Certificates MMC Plug-in).
 
Step 2: Import the certificate and set access permission to the ASPNET user account (Now that you have generated the certificate [pfx] you can do the following on any other machine you want to set the sandbox up on)
 
a) certutil -p password -importPFX MyCompany.pfx
b) Add the Certificate to the IIS Server
     i)    Open the IIS MMC Plug-in
     ii)   Right-click on Default Web Site and select Properties
     iii)  Select the Directory Security Tab and click the Service Certificate button
     iv)  Click Next on the first form of the IIS Certificate Wizard
     v)   Select Assign an existing certificate
     vi)  Click Next, select the certificate you installed in step 2a
     vii) Click Next through the remaining forms of the IIS Certificate Wizard
c) Enable SSL on the site you are sandboxing
     i)    Right-click on the Virtual Directory you are trying to access via Https and select Properties
     ii)   On the Directory Security tab, click Edit and check the Require secure channel (SSL) checkbox
     iii) Click OK
 
You can now navigate to your site via https://localhost/MyVirtualDirectory/default.htm
 
Internet Explorer may bark at you saying that the certificate for the site is not trusted (no kidding.. I created it manually) but you can ignore that warning and continue to see what you are expecting to see.
Advertisements

6 thoughts on “Generating self-signed certificates to enable SSL (https) on IIS 5.1 (Windows XP Professional)

  1. Hi,
     
    Great article! but i have a problem, i can’t find certutil anywhere!
     
    I’m running XP2 SP2… any ideas?
     
    Owen

  2. CertUtil is part of the Windows Server 2003 Administration Pack

  3. thanks jason. i found that link in the previous post eventually.i have another problem though. i got it working but when i went back to my secure pages 5 days later, i couldn’t connect to them, from anywhere!i’m trying to access my companies server remotely by its IP address… but even on the server itself it can’t access a page using https.any ideas?thanks,Owen

  4. Maybe an expired certificate?

  5. Thanks the steps you have included worked for me as I was Browsing through all the websites I found this and implemented and it worked Hurrah!!!! Will be waiting more information.

  6. install whatsapp on windows

    Remarkable issues here. I’m very glad to peer your post. Thank you a lot and I am having a look forward to touch you. Will you kindly drop me a e-mail?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s