Creating self signed certificates on <= IIS7 and assigning to a site using SelfSSL
Creating self-signed SSL certificates can be quite a pain when developing locally with IIS. I ended up collating a series of instructions for the process, and I thought I’d share in case someone finds it useful.
It’s important to note that when creating self-signed certificates on a local development machine running Windows (for example Windows 7), you can only have ONE site with the HTTPS binding.
So these instructions also particularly apply to when you want to swap between the sites that IIS has the HTTPS binding, as well as for setting up a Self-Signed SSL cert the first time.
The simplest, most reliable way I’ve found to do it is as follows:
- Stop IIS (if you don’t do this and you are recreating certificates, you’ll probably see an ‘aborted’ message next time you try to load the page)
- Remove any existing HTTPS bindings from the relevant site in IIS (IMPORTANT)
- If it already exists, ‘Delete’ the certificate you want to *start* using in ‘IIS Manager’ > ‘Server Certificates’ (IIS will get very confused if you don’t).
- (Re)Generate the certificate you want to start using the SelfSSL.exe tool (available standalone or as part of the IIS Resources Toolkit), as follows:
- Run the Command Prompt as an Administrator
- Change the Command Prompt Directory to the the directory containing SelfSSL (eg. C:\Program Files\IIS Resources\SElfSSL)
- Type the relevant SelfSSL command at the command prompt (specifying the site *ID* for the site you want to bind the certificate to (as listed in IIS Manager) for the /S switch, and a value in place of ‘10000’ for the days validity for the certificate), as follows:
SelfSSL /N:CN=www.mysite.dev /V:10000 /S:2
- If this succeeded, you must/will see the message “The self signed certificate was successfully assigned to site #.”
- Restart IIS
- Load your development site that you assigned the SSL certificate to using HTTPS
- Depending on which browser you use for development, you will have to re-accept the SSL cert exception again (given that it was regenerated). Eg. for Firefox, you will see the message ‘This Connection is Untrusted’ (to which you need to click ‘I understand the risks’, then ‘Add Exception’, then ‘Confirm Security Exception).
- Also note that when using Firefox, you need to first browse to the relevant site’s HTTPS URL directly in the address bar to be prompted to re-accept the certificate (eg. if loading the HTTPS site in an iFrame of another site (as per Facebook Apps), you won’t see the prompt).
Update (November 2012)
I’ve just recently found on my new machine (also Windows 7 Home, IIS7.5), that I can manage the certificates totally within IIS (ie. without using SelfSSL). Some of the same steps seem to apply, but I’m not sure why I can now do it totally within IIS when I couldn’t on my old machine (maybe it’s because of now creating the cert from within IIS instead of using SelfSSL).
- Stop IIS
- In IIS Manager, go to ‘Server Certificates’ and click the option ‘Create Self-Signed Certificate…’. Create a certificate for for each site you need a SSL cert for. I suggest you name the certificate exactly the same as the dev URL for your site eg. www.mysite.dev.
- Now go to the ‘Sites’ tree menu, and unbind ‘https’ from any sites currently using it.
- Select your site you want to access via HTTPS, click ‘Bindings’, ‘Add…’, select Type ‘https’, and select the certificate you created for that site.
- Restart IIS
- Browse to your site with HTTPS
Hope you find this useful!