tags:

views:

5944

answers:

2
+6  Q: 

Using makecert for Development SSL

Here's my situation:

I'm trying to create a SSL certificate that will be installed on all developer's machine's, along with two internal servers (everything is non-production).

What do I need to do to create a certificate that can be installed in all of these places?

Right now I've got something along these lines, using the makecert application in Microsoft Visual Studio 8\SDK\v2.0\Bin:

makecert -r -pe -n "CN=MySite.com Dev" -b 01/01/2000 -e 01/01/2033 -eku 1.3.6.1.5.5.7.3.1 -ss Root -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 mycert.cer

However, I'm not sure as to how to place this .cer file on the other computers, and when I install it on my local machine IIS, everytime I visit a page via https:, I get the security prompt (even after I've installed the certificate). Has anyone done this before?

+18  A: 

Here are my scripts for doing this:

Create Certificate Authority

Create a self-signed certificate (-r), with an exportable private key (-pe), using SHA1 (-r), for signing (-sky signature). The private key is written to a file (-sv).

makecert -r -pe -n "CN=My Root Authority" -ss CA -sr CurrentUser
    -a sha1 -sky signature -cy authority -sv CA.pvk CA.cer

Create Server Certificate

Create a server certificate, with an exportable private key (-pe), using SHA1 (-a) for key exchange (-sky exchange). It can be used as an SSL server certificate (-eku 1.3.6.1.5.5.7.3.1). The issuing certificate is in a file (-ic), as is the key (-iv). Use a particular crypto provider (-sp, -sy).

makecert -pe -n "CN=fqdn.of.server" -a sha1 -sky exchange
    -eku 1.3.6.1.5.5.7.3.1 -ic CA.cer -iv CA.pvk
    -sp "Microsoft RSA SChannel Cryptographic Provider"
    -sy 12 -sv server.pvk server.cer
pvk2pfx -pvk server.pvk -spc server.cer -pfx server.pfx

You then use the .PFX file in your server app (or install it in IIS). Note that, by default, pvk2pfx doesn't apply a password to the output PFX file. You need to use the -po switch for that.

To make all of your client machines trust it, install CA.cer in their certificate stores (in the Trusted Root Authorities store). If you're on a domain, you can use Windows Group Policy to do this globally. If not, you can use the certmgr.msc MMC snapin, or the certutil command-line utility.

To programmatically install the certificate in IIS 6.0, look at this Microsoft KB article. For IIS 7.0, I don't know.

Roger Lipscombe  2009-01-30 18:58:48
Here's where I'm stuck: How do you install the .PFX file in IIS?
John  2009-01-30 19:22:30
I should qualify that: I can get it to work if I go into the certificate snap-in and import it to the personal folder... but is there a way to do that without going through that process? when I just double click on it and try that, it doesn't actually put the certificate in the folder
John  2009-01-30 19:25:56
I got tired of writing out the command syntax and wrote a wrapper to simplify the effort. Have a glace here: http://www.dscoduc.com/post/2008/12/19/Certificate-Generation-Made-Easy.aspx
Dscoduc  2009-02-06 22:43:11
I'm following these steps and am able to create the pfx file however when I try to import the pfx file into IIS7 it says "The specified network password is not correct." Do you know how I can get it to import? Thanks
Tigran  2009-09-18 00:14:57
Followup I just didn't enter anything for password and it imported it.
Tigran  2009-09-18 00:55:57
@dscoduc nice tool, for Win7 it needs masty's argument (-cy authority)
Chris S  2010-10-13 11:09:46
**For IIS7** this as easy as going to the IIS MMC -> server certificates -> right click -> create self signed certificate. Then add it to your site bindings.
Chris S  2010-10-13 11:20:59
+3  A: 

You should add -cy authority to the switches when creating the cert authority, otherwise some cert stores won't see it as a proper CA.

masty  2010-03-24 20:49:49

related questions

IE6 security login (debugging via VirtualPC)
Asp.net Reinstalling a DLL into the GAC
Failed to load resources from resource file.
What does an IISReset do?
How do I secure a folder used to let users upload files?
VBScript/IIS - How do I automatically set ASP.NET version for a particular website
IIS 6/COM+ hangs
Web server farms with IIS ? Basic Infos
.NET 3.5 Service Pack 1 causes 404 pages on ASP.NET Web App
What Url rewriter do you use for ASP.Net?
Publishing to IIS - Best Practices
ASP.NET Proxy Application
PHP on IIS
How do I stop IIS7 dropping my cookies?
HTTPS in IIS 5.1
Best tool for performance testing ASP.NET
Alternative Hostname for an IIS web site for internal access only
SQL Server 2008 FileStream on a Web Server
Solutions for working with multiple branches in ASP.Net
Dual vs. Quadcore on a Webserver
PHP Error - Uploading a file
Visual Studio 2008 debugger already attached work-around
Linux shell equivalent on IIS
Bandwith throttling in IIS 6 by IP Address
Checklist for IIS 6/ASP.NET Windows Authentication?