How can I generate a self-signed wildcard SSL to use on my IIS 6.0 sites using Windows 2003 Certificate Authority.

I've want to set up a self-signed wildcard SSL certificate because I am running multiple sharepoint sites on port 80 (eg:, etc)

As I understand it, I need to:

1)  Install Certificate authority (Add/Remove programs > Windows Components )
2)  Request a certificate
3)  Grant a certificate
4)  Install the certificate

I get step 1, but that's where I'm getting stuck.

How to I request the wild card certificate?   I found this article -,33 but that's for sending a request to an external CA...

Please help me out with step by step instructions.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi this is exactly what I have got, Here is the how-to I used to get it done.

When I first looked at this I avoided it but when I acutally go through it, it's not too bad, but very easy, 

Good Luck!
ParanormasticCryptographic EngineerCommented:
The Comodo instructions are just fine - in the step where you enter the servername ( instead replace that with *.mydomain.local.  The only real difference between your CA and a commercial CA is that your internal CA isn't already in the root store for everyone - beyond that its just interface stuff.  When you submit using the CA's certsrv page you paste the CSR in like you would any other site.  If necessary, you can export from IIS including private key to use the same wildcard on other sites as well - however keep this exported copy on (2 or more) external physical media (e.g. flash drive), then delete the .pfx from the system and keep it literally locked up - wildcards aren't tied to a specific name, so they are at higher risk for being abused for a rogue server.  

For internal certs there's no difference in licensing for using the same cert on multiple boxes and/or sites like there is for commerical certs so keep reusing the same wildcard - just remember to keep a spreadsheet, database, or something for documentation so when that wildcard expires you know specifically what boxes need to get updated!
check out selfSSL that comes with the IIS6 resource kit:

This tool provides a one-step self-signed cert for IIS6 (and for IIS7 too I beleive)

10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

ParanormasticCryptographic EngineerCommented:
Self signed certs are 1) a pain, 2) less secure, 3) unmanageable (can't revoke them, see #2), 4) pointless if you have your own CA.

If you have your own CA you presumably already have the root cert deployed so you're already good there.  With a self-signed you will need to deploy that as another root cert - if done a few dozen times eventually this will fill up the trusted roots cert store and cause problems for your clients.  Why bother?  Its meant for test environments and its fine for that, but for production use, use a CA issued cert either from your own CA or a commercial CA....
drewberryliciousAuthor Commented:
I'm actually a bit confused by the variety of answers here...

I now don't really know what is the best way to achieve what I'm trying to do.

Let me reiterate what I would like to do:

I am running SharePoint and am making it available to employees via the web.  

I don't want to buy a certificate.

My understanding is that I need to install Certificate Services which will act as an internal CA.

I understand that I can generate a wild card SSL using selfcert.

I would really appreciate clarification about the best way to secure my sites, step by step.

ParanormasticCryptographic EngineerCommented:
I would recommend a CA solution and use a wildcard from that.  If you have greater use for your own CA, then set that up.  If you don't there are free CAs out there such as that you can get managed certs from while keeping costs down.

Whether you go with an internal CA, free public CA, or a self-signed cert - you will need to import that into the trusted root certificate authority store - the CA certs would have the root cert imported, all the issued certs would chain to that trusted root so do not need to be imported.  Self-signed certs if you get in the habit of using those you will end up having to import each one individually.

Its a pain getting the cert imported the first time, but once it is done then you don't need to worry about it again from a CA cert.

There aren't any free CAs out there that will be in the root certificate program for IE, etc. - they need to get webtrust validation which costs a lot of money to get audited (about 200k+) that they just don't have, and they need to be audited annually.  CAcert hopes to be the first, but I just don't see it happening anytime soon that they get the cash they need - that being said, they run a fine program and have great documentation for how to import their certs into many apps - even if you run your own CA, they are a great documentation reference for 'how to import your root cert'.

Self-signed certs should be used for testing only - that's their reason for existence.

There are two concepts relevant to web server certs:

1.  trust - proves to the visitor that your web site is the real web site for that domain (i.e. you have not been redirected to some fake version by some unknown party)

2.  encryption - secures data sent to/from the web site so that it can not be monitored by any third party

>> I am running SharePoint and am making it available to employees via the web.  

many people might argue that you do not need to care about trust because employees know who you are already, but you need to understand that it is about the employee having 'trust' that the web site they are accessing is the REAL web site, and not some other web server put there to fool them into capturing their access credentials.

>> I don't want to buy a certificate.

then you have two choices:
   implement your own CA and issue web server certs to IIS
   create a self signed cert and install in the client trusted store

in both these cases, the client will get a warning that the certificate issuer is unknown, but you can avoid that warning if the cert is 'installed' in the client browser.

>> My understanding is that I need to install Certificate Services which will act as an internal CA.

Not necessarily - you can create a self signed certificate using selfSSL, which does not require a CA.

>> I understand that I can generate a wild card SSL using selfcert.

>> I would really appreciate clarification about the best way to secure my sites, step by step.

You first need to make a decision about trust:  How do you educate the end user to make sure that they do not enter their credentials to a fake web site pretending to be your company intranet.... and do you even care about that?

Once you have made a call on that point, and decide to go with self signed, then the next question will probably be about how many certs you intend to deploy.  If there is only going to be a single web site with a single cert, then I don't care what anyone else says - SelfSSL is the way to go IMO.

If you are going to need many web sites with many certs, then there is a case to install a CA, like MS Certificate server or OpenSSL services.  If you want to distribute client certificates, then you must use a CA.


ParanormasticCryptographic EngineerCommented:
Especially for a wildcard, you want the ability to revoke it.  If the cert's private key got compromised dealing with that scenario is tough on a self-signed cert and relatively easy for a CA managed cert.

To do so in IIS6:
Open properties of the site - directory security tab - click Server Certificate button.
Follow the wizard for a new offline request - there will be a step where you can change the subject name for that enter *  It will save a certificate signing request (CSR) file that you then submit to the CA.

With your own MS CA, browse to http://CASERVERNAME/certsrv and take the first then second option.  Open the CSR file in notepad and copy and paste the entire contents into the big box, if you have a template available then select one for web server, submit and save to file.  

For (or any other CA) - sign up and follow their instructions to process the CSR.  For public CAs there will typically be a validation check to make sure you actually own that site - how complex this is will vary by certificate type and vendor.

Import the signed certificate file back into IIS using the same wizard.  Then run the wizard once more to export including the private key to a .pfx file - this is your backup copy, store it securely.  You can install that same file onto another server that falls within the wildcard boundaries by copying the .pfx file and runnign the wizard to import it.  You should be good to go, if not then restart IIS and try again.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
drewberryliciousAuthor Commented:
Finally got this set up, albeit on IIS 7.0.   Quite a challenge, but got there in the end.  
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.