Self-Signed IIS SSL Certificates using OpenSSL
April 16th, 2008
This tutorial assumes that you have a Linux box with OpenSSL installed,and that you want to create a self-signed certificate for IIS5.0
- Set up your CA (you only have to do this once)
ON THE LINUX BOX…- Create a private key
openssl genrsa -des3 -out CA.key 1024
(You’ll need to supply a passphrase. DON’T FORGET THIS!!)
- Set this to read-only for root access only
chmod 400 CA.key
- Create the CA certificate
openssl req -new -key CA.key -x509 -days 1095 -out CA.crt
(Provide appropriate responses to the prompts…for Common Name, you might want to use something like “OurCompany CA”)
- Country Name: GB
- State or Province Name: Newcastle
- Locality Name: Gateshead
- Organization Name: Your company name
- Organizational Unit Name: OI
- Common Nmae: www.yourwebsite-address.com
- Email Address: your-admin-email@address.com
- Set the certificate to read-only for root access only
chmod 400 CA.crt
- Create a private key
- Obtain a CSR
ON THE IIS BOX…- Open the Internet Manager
- Select the site for which you want to create a key
- Right-click and choose Properties
- Select the “Directory Security” tab
- Click the “Server Certificate” button
- Follow the prompts to create a CSR
- Save your CSR, then transfer it to the Linux box for further processing. (For the following steps, we’ll refer to your CSR as “new.csr”)
- Sign the CSR
ON THE LINUX BOX…- Sign the CSR (all of this on one line)
openssl x509 -req -days 365 -in new.csr -CA CA.crt
-CAkey CA.key -CAcreateserial -out new.crt - Transfer the new.crt file back to the IIS box
- Sign the CSR (all of this on one line)
- Install self-signed certificate
ON THE IIS BOX…- Open the Internet Manager
- Select the site to install the key
- Right-click and choose properties
- Select the “Directory Security” tab
- Click the “Server Certificate” button
- Specify that you want to complete the pending request
- Select the .crt file that you just transferred