Need to create an internal certificate for SSL

Matthew Cioffi
Matthew Cioffi used Ask the Experts™
We are looking to create our own certificates that we can use for TEST servers in house.  Our application is accessed via web browser and we need to run QA through the application testing in HTTPS as well as HTTP.  We want to generate certificates internally so they do not expire.  We do not want to purchase certificates because these servers are not exposed to the internet and will never be, so we need to have a method of creating the certificate and then registering the CA on each workstation.  I think  we can use OpenSSL to do the generation, but who do i ensure that the clients will see the certificate properly, how would i register the CA on each station.  We will have mostly IIS and some Apache on Solaris and Linux.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

use utility "selfssl" this is on "IIS 6.0 Resource Kit Tools", you can create your certificate on your IIS server.

The concrete steps are:

1. exec "Metabase Explorer\MBExplorer.exe" to get your ID application (IIS application), you must search the ID list and find your domain name inside.

2. run "SelfSSL\selfssl.exe" like

selfssl /T /N:CN=YOUR_DOMAIN /V:365 /S:YOUR_ID_APP

365 are the number of days available.

and... that's all.

On client is more easy.

Open IE and go to your url application "https://www...." then IE alert to you but you can read certificate, then click on install certificate.

and.. that's all.

Good luck!

I'm pretty much all MS so I'd generate the certificates using Windows Certificate Services, I found this website has a pretty easy explanation of how to generate test certificates using the IIS resource kit -

On Windows clients you have to manually add your certificate to the "Trusted Root Certificate Providers" in IE, then it will happily accept it. In IE its via the "tools" menu - "internet options" - "content" tab - certificates button. You can then import your certificate file into the relevant store. In IE6 you used to be able to just browse to the site and select "more information" when presented with the certificate warning, then import it from there but IE7 is a bit more picky - I seem to remember it only lets you do it if the site is in the Trusted zone.
ParanormasticCryptographic Engineer
Depends on what your test environment looks like.  If you will be wanting to test SSL over time with a number of servers, e.g. web servers, exchange, etc., as well as user certs such as smartcard logon, digital signing, encryption, etc. then you might want to set up an actual CA - a VM environment is fine for this.  To get in the habit of best practices, I would suggest a two tier CA - don't join the root CA to a domain, and only issue from the 2nd tier subordinate CA which may be joined to the test domain if desired (probably want to).  This way you could import the root cert into your base images into the trusted root store and be done wtih it.  The problem with self-signed certs is you need to import them into everything every time you want to make a new server or renew the cert.  With the root CA, you just need to do it once and you're done, and it mimics what should be in production much better.

If you really wanted to, you could even use the same root CA as production and test, with the sub CA being unique to each enviroment (one of the many benefits of not joining the root to a domian...).

Using this method, you would create a normal CSR (as you would in production...) and submit it to your CA, issue the cert, then install it.  Here are some good links for creating CSR's and installing certs in pretty much any envioronment, just substitute the stuff that is specific to them with your own CA info..
ParanormasticCryptographic Engineer

For updating your clients - MS is easiest through GPO, or just double-click and run the wizard (vista/2008 click box to 'show physical stores') and put into the trusted root store.  For your other environments, refer here, again substituting for your CA:

As said above using SelfSSL would be the best option. Check out this detailed tutorial with screenshots

Setting up SSL with a SelfSSL certificate on Windows Server 2003

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial