Need to create an internal certificate for SSL

Posted on 2008-11-12
Medium Priority
Last Modified: 2012-08-14
We are looking to create our own certificates that we can use for TEST servers in house.  Our application is accessed via web browser and we need to run QA through the application testing in HTTPS as well as HTTP.  We want to generate certificates internally so they do not expire.  We do not want to purchase certificates because these servers are not exposed to the internet and will never be, so we need to have a method of creating the certificate and then registering the CA on each workstation.  I think  we can use OpenSSL to do the generation, but who do i ensure that the clients will see the certificate properly, how would i register the CA on each station.  We will have mostly IIS and some Apache on Solaris and Linux.

Question by:mcioffi209

Accepted Solution

jose_juan earned 1200 total points
ID: 22940590

use utility "selfssl" this is on "IIS 6.0 Resource Kit Tools", you can create your certificate on your IIS server.

The concrete steps are:

1. exec "Metabase Explorer\MBExplorer.exe" to get your ID application (IIS application), you must search the ID list and find your domain name inside.

2. run "SelfSSL\selfssl.exe" like

selfssl /T /N:CN=YOUR_DOMAIN /V:365 /S:YOUR_ID_APP

365 are the number of days available.

and... that's all.

On client is more easy.

Open IE and go to your url application "https://www...." then IE alert to you but you can read certificate, then click on install certificate.

and.. that's all.

Good luck!


Assisted Solution

Keyguard earned 400 total points
ID: 22940630
I'm pretty much all MS so I'd generate the certificates using Windows Certificate Services, I found this website has a pretty easy explanation of how to generate test certificates using the IIS resource kit - http://www.somacon.com/p42.php

On Windows clients you have to manually add your certificate to the "Trusted Root Certificate Providers" in IE, then it will happily accept it. In IE its via the "tools" menu - "internet options" - "content" tab - certificates button. You can then import your certificate file into the relevant store. In IE6 you used to be able to just browse to the site and select "more information" when presented with the certificate warning, then import it from there but IE7 is a bit more picky - I seem to remember it only lets you do it if the site is in the Trusted zone.
LVL 31

Assisted Solution

Paranormastic earned 400 total points
ID: 22951185
Depends on what your test environment looks like.  If you will be wanting to test SSL over time with a number of servers, e.g. web servers, exchange, etc., as well as user certs such as smartcard logon, digital signing, encryption, etc. then you might want to set up an actual CA - a VM environment is fine for this.  To get in the habit of best practices, I would suggest a two tier CA - don't join the root CA to a domain, and only issue from the 2nd tier subordinate CA which may be joined to the test domain if desired (probably want to).  This way you could import the root cert into your base images into the trusted root store and be done wtih it.  The problem with self-signed certs is you need to import them into everything every time you want to make a new server or renew the cert.  With the root CA, you just need to do it once and you're done, and it mimics what should be in production much better.

If you really wanted to, you could even use the same root CA as production and test, with the sub CA being unique to each enviroment (one of the many benefits of not joining the root to a domian...).

Using this method, you would create a normal CSR (as you would in production...) and submit it to your CA, issue the cert, then install it.  Here are some good links for creating CSR's and installing certs in pretty much any envioronment, just substitute the stuff that is specific to them with your own CA info..

LVL 31

Expert Comment

ID: 22951522
For updating your clients - MS is easiest through GPO, or just double-click and run the wizard (vista/2008 click box to 'show physical stores') and put into the trusted root store.  For your other environments, refer here, again substituting for your CA:
LVL 10

Expert Comment

ID: 22966765
As said above using SelfSSL would be the best option. Check out this detailed tutorial with screenshots

Setting up SSL with a SelfSSL certificate on Windows Server 2003

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
The title says it all. Writing any type of PHP Application or API code that provides high throughput, while under a heavy load, seems to be an arcane art form (Black Magic). This article aims to provide some general guidelines for producing this typ…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question