Need to create an internal certificate for SSL

Posted on 2008-11-12
Last Modified: 2012-08-14
We are looking to create our own certificates that we can use for TEST servers in house.  Our application is accessed via web browser and we need to run QA through the application testing in HTTPS as well as HTTP.  We want to generate certificates internally so they do not expire.  We do not want to purchase certificates because these servers are not exposed to the internet and will never be, so we need to have a method of creating the certificate and then registering the CA on each workstation.  I think  we can use OpenSSL to do the generation, but who do i ensure that the clients will see the certificate properly, how would i register the CA on each station.  We will have mostly IIS and some Apache on Solaris and Linux.

Question by:mcioffi209
    LVL 5

    Accepted Solution


    use utility "selfssl" this is on "IIS 6.0 Resource Kit Tools", you can create your certificate on your IIS server.

    The concrete steps are:

    1. exec "Metabase Explorer\MBExplorer.exe" to get your ID application (IIS application), you must search the ID list and find your domain name inside.

    2. run "SelfSSL\selfssl.exe" like

    selfssl /T /N:CN=YOUR_DOMAIN /V:365 /S:YOUR_ID_APP

    365 are the number of days available.

    and... that's all.

    On client is more easy.

    Open IE and go to your url application "https://www...." then IE alert to you but you can read certificate, then click on install certificate.

    and.. that's all.

    Good luck!

    LVL 5

    Assisted Solution

    I'm pretty much all MS so I'd generate the certificates using Windows Certificate Services, I found this website has a pretty easy explanation of how to generate test certificates using the IIS resource kit -

    On Windows clients you have to manually add your certificate to the "Trusted Root Certificate Providers" in IE, then it will happily accept it. In IE its via the "tools" menu - "internet options" - "content" tab - certificates button. You can then import your certificate file into the relevant store. In IE6 you used to be able to just browse to the site and select "more information" when presented with the certificate warning, then import it from there but IE7 is a bit more picky - I seem to remember it only lets you do it if the site is in the Trusted zone.
    LVL 31

    Assisted Solution

    Depends on what your test environment looks like.  If you will be wanting to test SSL over time with a number of servers, e.g. web servers, exchange, etc., as well as user certs such as smartcard logon, digital signing, encryption, etc. then you might want to set up an actual CA - a VM environment is fine for this.  To get in the habit of best practices, I would suggest a two tier CA - don't join the root CA to a domain, and only issue from the 2nd tier subordinate CA which may be joined to the test domain if desired (probably want to).  This way you could import the root cert into your base images into the trusted root store and be done wtih it.  The problem with self-signed certs is you need to import them into everything every time you want to make a new server or renew the cert.  With the root CA, you just need to do it once and you're done, and it mimics what should be in production much better.

    If you really wanted to, you could even use the same root CA as production and test, with the sub CA being unique to each enviroment (one of the many benefits of not joining the root to a domian...).

    Using this method, you would create a normal CSR (as you would in production...) and submit it to your CA, issue the cert, then install it.  Here are some good links for creating CSR's and installing certs in pretty much any envioronment, just substitute the stuff that is specific to them with your own CA info..
    LVL 31

    Expert Comment

    For updating your clients - MS is easiest through GPO, or just double-click and run the wizard (vista/2008 click box to 'show physical stores') and put into the trusted root store.  For your other environments, refer here, again substituting for your CA:
    LVL 10

    Expert Comment

    As said above using SelfSSL would be the best option. Check out this detailed tutorial with screenshots

    Setting up SSL with a SelfSSL certificate on Windows Server 2003

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
    Lync server 2013 Backup Service Error ID 4049 – After File Share Migration
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    This video discusses moving either the default database or any database to a new volume.

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now