Need to create an internal certificate for SSL

We are looking to create our own certificates that we can use for TEST servers in house.  Our application is accessed via web browser and we need to run QA through the application testing in HTTPS as well as HTTP.  We want to generate certificates internally so they do not expire.  We do not want to purchase certificates because these servers are not exposed to the internet and will never be, so we need to have a method of creating the certificate and then registering the CA on each workstation.  I think  we can use OpenSSL to do the generation, but who do i ensure that the clients will see the certificate properly, how would i register the CA on each station.  We will have mostly IIS and some Apache on Solaris and Linux.

Matthew CioffiSenior DBAAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


use utility "selfssl" this is on "IIS 6.0 Resource Kit Tools", you can create your certificate on your IIS server.

The concrete steps are:

1. exec "Metabase Explorer\MBExplorer.exe" to get your ID application (IIS application), you must search the ID list and find your domain name inside.

2. run "SelfSSL\selfssl.exe" like

selfssl /T /N:CN=YOUR_DOMAIN /V:365 /S:YOUR_ID_APP

365 are the number of days available.

and... that's all.

On client is more easy.

Open IE and go to your url application "https://www...." then IE alert to you but you can read certificate, then click on install certificate.

and.. that's all.

Good luck!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I'm pretty much all MS so I'd generate the certificates using Windows Certificate Services, I found this website has a pretty easy explanation of how to generate test certificates using the IIS resource kit -

On Windows clients you have to manually add your certificate to the "Trusted Root Certificate Providers" in IE, then it will happily accept it. In IE its via the "tools" menu - "internet options" - "content" tab - certificates button. You can then import your certificate file into the relevant store. In IE6 you used to be able to just browse to the site and select "more information" when presented with the certificate warning, then import it from there but IE7 is a bit more picky - I seem to remember it only lets you do it if the site is in the Trusted zone.
ParanormasticCryptographic EngineerCommented:
Depends on what your test environment looks like.  If you will be wanting to test SSL over time with a number of servers, e.g. web servers, exchange, etc., as well as user certs such as smartcard logon, digital signing, encryption, etc. then you might want to set up an actual CA - a VM environment is fine for this.  To get in the habit of best practices, I would suggest a two tier CA - don't join the root CA to a domain, and only issue from the 2nd tier subordinate CA which may be joined to the test domain if desired (probably want to).  This way you could import the root cert into your base images into the trusted root store and be done wtih it.  The problem with self-signed certs is you need to import them into everything every time you want to make a new server or renew the cert.  With the root CA, you just need to do it once and you're done, and it mimics what should be in production much better.

If you really wanted to, you could even use the same root CA as production and test, with the sub CA being unique to each enviroment (one of the many benefits of not joining the root to a domian...).

Using this method, you would create a normal CSR (as you would in production...) and submit it to your CA, issue the cert, then install it.  Here are some good links for creating CSR's and installing certs in pretty much any envioronment, just substitute the stuff that is specific to them with your own CA info..
ParanormasticCryptographic EngineerCommented:
For updating your clients - MS is easiest through GPO, or just double-click and run the wizard (vista/2008 click box to 'show physical stores') and put into the trusted root store.  For your other environments, refer here, again substituting for your CA:
As said above using SelfSSL would be the best option. Check out this detailed tutorial with screenshots

Setting up SSL with a SelfSSL certificate on Windows Server 2003
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.