Creating Self Signed SSL Certificates for IIS7

In a lot of instances, it is not cost effective to get CA signed certificates from commercial providers such as GoDaddy or VeriSign for test or staging servers. In this blog post I will show you how to generate self-signed ssl certificates using IIS Manger and an additional third party tool called SelfSSL7.

Generating a self-signed ssl certificate using IIS Manager (for IIS 7 and IIS 7.5) is trivially easy. Open the IIS Manager on your server click on your site. Click on Server Certificates.

Inside the Server Certificates section, in the Actions pane on the right, click on Create Self Signed Certificate. Enter in your details and you are done. The new cert will now show up in your list of server certificates and you can now bind this certificate to a site.

Problems with this Approach

This process gives you minimal control over your certificate. You cannot alter the expiration dates, choose alternate common names, or control the certificate key length. We faced this issue when we were doing an install on a staging server and needed to create a self-signed cert with a different common name.

Enter SelfSSL7

Enter SelfSSL7 to the mix. This is an invaluable tool that allows you complete control over self-signed certificate generation. This was a tool that was part of the IIS toolkit for IIS6 and was updated for IIS7. SelfSSL is a command line tool and is available here.

SelfSSL allows you to:

  1. Create certificates for custom common name and multiple common names. This is the closest you can get to mirroring UCC SAN certificates’ for testing.
  2. Configurable expiration date.
  3. Configurable certificate key size.
  4. Directly add in bindings to IIS using Site Name, IP address and Port.
  5. Directly add the new cert to the Windows Certificate Store (this prevents browsers from displaying the untrusted certificate warning).
  6. Export the certificate to a file so that you can deploy it to other test users.

Example configuration code:

SelfSSL7.exe /Q /T /I "Default Web SIte" /n /K 2048 /V 365

Explanation of Code

/Q – overwrite existing IIS ssl site bindings.
/T – add the cert to the windows cert store.
/I – Create an IIS site binding
Cn = common name(s). You can have multiple names here.
/K – key length
/V – expiration time