Skip to main content

Self-Signed IIS SSL Certificates using OpenSSL

Self-Signed IIS SSL Certificates using OpenSSL

This tutorial assumes that you have a Linux box with OpenSSL installed,and that you want to create a self-signed certificate for IIS5.0 / 6.0

Set up your CA (you only have to do this once)
ON THE LINUX BOX…

Create a private key

openssl genrsa -des3 -out CA.key 1024

(You’ll need to supply a passphrase. DON’T FORGET THIS!!)

Set this to read-only for root for security

chmod 400 CA.key

Create the CA certificate

openssl req -new -key CA.key -x509 -days 1095 -out CA.crt

(Provide appropriate responses to the prompts…for Common Name, you might want to use something like “OurCompany CA”)

Set the certificate to read-only for root for security

chmod 400 CA.crt

Obtain a CSR
ON THE IIS BOX…

Open the Internet Manager
Select the site for which you want to create a key
Right-click and choose Properties
Select the “Directory Security” tab
Click the “Server Certificate” button
Follow the prompts to create a CSR
Save
your CSR, then transfer it to the Linux box for further processing.
(For the following steps, we’ll refer to your CSR as “new.csr”)
Sign the CSR
ON THE LINUX BOX…

Sign the CSR (all of this on one line)

openssl x509 -req -days 365 -in new.csr -CA CA.crt
-CAkey CA.key -CAcreateserial -out new.crt

Transfer the new.crt file back to the IIS box
Install self-signed certificate
ON THE IIS BOX…

Open the Internet Manager
Select the site to install the key
Right-click and choose properties
Select the “Directory Security” tab
Click the “Server Certificate” button
Specify that you want to complete the pending request
Select the .crt file that you just transferred
That’s it!



PS: If you have problems with the certification path (”does not chain up to a
trusted root certificate” in System Log), the following seems to fix it:

1. Internet Information Services -> select the site -> right click -> Properties
2. Directory Security -tab -> Secure communications -frame -> Edit…
3. Select “Enable certificate trust list”, click New… -> Next
4. Add from file -> use CA.crt -> Next
5. Write something to the Name and Description, if you like. -> Next -> Finish

Popular posts from this blog

HOW TO EDIT THE BCD REGISTRY FILE

The BCD registry file controls which operating system installation starts and how long the boot manager waits before starting Windows. Basically, it’s like the Boot.ini file in earlier versions of Windows. If you need to edit it, the easiest way is to use the Startup And Recovery tool from within Vista. Just follow these steps: 1. Click Start. Right-click Computer, and then click Properties. 2. Click Advanced System Settings. 3. On the Advanced tab, under Startup and Recovery, click Settings. 4. Click the Default Operating System list, and edit other startup settings. Then, click OK. Same as Windows XP, right? But you’re probably not here because you couldn’t find that dialog box. You’re probably here because Windows Vista won’t start. In that case, you shouldn’t even worry about editing the BCD. Just run Startup Repair, and let the tool do what it’s supposed to. If you’re an advanced user, like an IT guy, you might want to edit the BCD file yourself. You can do this

DNS Scavenging.

                        DNS Scavenging is a great answer to a problem that has been nagging everyone since RFC 2136 came out way back in 1997.  Despite many clever methods of ensuring that clients and DHCP servers that perform dynamic updates clean up after themselves sometimes DNS can get messy.  Remember that old test server that you built two years ago that caught fire before it could be used?  Probably not.  DNS still remembers it though.  There are two big issues with DNS scavenging that seem to come up a lot: "I'm hitting this 'scavenge now' button like a snare drum and nothing is happening.  Why?" or "I woke up this morning, my DNS zones are nearly empty and Active Directory is sitting in a corner rocking back and forth crying.  What happened?" This post should help us figure out when the first issue will happen and completely avoid the second.  We'll go through how scavenging is setup then I'll give you my best practices.  Scavenging s

AD LDS – Syncronizing AD LDS with Active Directory

First, we will install the AD LDS Instance: 1. Create and AD LDS instance by clicking Start -> Administrative Tools -> Active Directory Lightweight Directory Services Setup Wizard. The Setup Wizard appears. 2. Click Next . The Setup Options dialog box appears. For the sake of this guide, a unique instance will be the primary focus. I will have a separate post regarding AD LDS replication at some point in the near future. 3. Select A unique instance . 4. Click Next and the Instance Name dialog box appears. The instance name will help you identify and differentiate it from other instances that you may have installed on the same end point. The instance name will be listed in the data directory for the instance as well as in the Add or Remove Programs snap-in. 5. Enter a unique instance name, for example IDG. 6. Click Next to display the Ports configuration dialog box. 7. Leave ports at their default values unless you have conflicts with the default values. 8. Click N