Adding a self signed certificate to a SharePoint site for more than 1 year

Hello Experts,

I have a Sharepoint Services 3.0 site nestled in our Internal network. I have currently set up SSL for my site, along with a self-signed 1 year cert, which you can create in IIS7. Here is what I need:

- .psk self-signed cert (or domain CA, although we dont have a CA on our domain) that will NOT expire in 1 year (20-30 years is fine for this use)
-  this is internal only, so no need for a root level CA

I am using IIS7, WSS 3.0, and Server 2008 (64-bit). IIS7 seems to only allow a 1 year self-signed certificate setup using their wizard. I tried using makecert.exe, but for some reason, IIS only allows .psk files to be uploaded and used for the sites, not .cer files, and I am having trouble trying to find a way around that.

Full points + A for anyone who can help by providing the correct switches for makecert, or a workaround for my situation without paying for a root level CA liscense.

Thanks for your time Experts!

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The only experience I have had with this is for Exchange.

See my guide Step 1:

Go to ‘Server Manager’ –> ‘Add Roles’ wizard –> Choose ‘Active Directory Certificate Services’ –> Next –> Choose ‘Certification Authority’ only (don’t need the other role services) –> Enterprise –> Next –> Root CA –> Next –> Create a new private key –> Keep all defaults here (2048 length / RSA Sha1 key) –> Keep Common Name as default –> Next –> Valid for 5 years should be fine as this is just for testing, change if you wish –> Next, Finish

So, if you have this role and no certs at the moment, I'd remove it and re-add then instead of the recommended 5 years, choose your 20-30 years.


I think makecert is an old tool now. I use SefSSL (from the IIS6 resource kit). This works with IIS7 and has very simple options.

Example: selfssl /N:cn=MYSERVER /K:1024 /V:3650 /S:1 /P:443

This creates a cert with the common name "MYSERVER" and assigns it to the <default web site> on port 443. The cert will be valid for 3650 days and have a key length of 1024

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Brad HoweDevOps ManagerCommented:

Give this a read. You do not need a CA installed to do this. :)

makecert -r -pe -n "" -e 01/01/2015 -sky exchange -ss my -sr localMachine

MAKECERT options

Brad HoweDevOps ManagerCommented:
Ncollings has a good point too.

SELFSSL is apart of the IIS6 resource kit and will do the same thing. NOTE thought you have to install the “IIS 6 Management Compatibility Role Services” in order to be able to use SelfSSL.exe.

Either way, .NET SDK or IIS6 Resource toolkit or a CA is required.

And his selfssl example is correct. :)

SBFOTT2Author Commented:
Great, thank you so much for the comments. I will be performing these tasks this week, and points will be awarded as soon as I can get this going, and will be awarded to the first post that supplied what I asked for.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.